Mercurial > hg > soundsoftware-site

annotate extra/soundsoftware/SoundSoftware.pm @ 851:2f5046e94b6d bug_255

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Close obsolete branch bug_255
author Chris Cannam
date Sat, 13 Aug 2011 14:40:15 +0100
parents a2192366d309
children 897bc2b63bfe
rev   line source
Chris@7 1 package Apache::Authn::SoundSoftware;
Chris@7 2
Chris@7 3 =head1 Apache::Authn::SoundSoftware
Chris@7 4
Chris@7 5 SoundSoftware - a mod_perl module for Apache authentication against a
Chris@7 6 Redmine database and optional LDAP implementing the access control
Chris@7 7 rules required for the SoundSoftware.ac.uk repository site.
Chris@7 8
Chris@7 9 =head1 SYNOPSIS
Chris@7 10
Chris@7 11 This module is closely based on the Redmine.pm authentication module
Chris@7 12 provided with Redmine. It is intended to be used for authentication
Chris@7 13 in front of a repository service such as hgwebdir.
Chris@7 14
Chris@7 15 Requirements:
Chris@7 16
Chris@7 17 1. Clone/pull from repo for public project: Any user, no
Chris@7 18 authentication required
Chris@7 19
Chris@7 20 2. Clone/pull from repo for private project: Project members only
Chris@7 21
Chris@7 22 3. Push to repo for public project: "Permitted" users only (this
Chris@8 23 probably means project members who are also identified in the hgrc web
Chris@8 24 section for the repository and so will be approved by hgwebdir?)
Chris@7 25
Chris@8 26 4. Push to repo for private project: "Permitted" users only (as above)
Chris@7 27
chris@300 28 5. Push to any repo that is tracking an external repo: Refused always
chris@300 29
Chris@7 30 =head1 INSTALLATION
Chris@7 31
Chris@7 32 Debian/ubuntu:
Chris@7 33
Chris@7 34 apt-get install libapache-dbi-perl libapache2-mod-perl2 \
Chris@7 35 libdbd-mysql-perl libauthen-simple-ldap-perl libio-socket-ssl-perl
Chris@7 36
Chris@7 37 Note that LDAP support is hardcoded "on" in this script (it is
Chris@7 38 optional in the original Redmine.pm).
Chris@7 39
Chris@7 40 =head1 CONFIGURATION
Chris@7 41
Chris@7 42 ## This module has to be in your perl path
Chris@7 43 ## eg: /usr/local/lib/site_perl/Apache/Authn/SoundSoftware.pm
Chris@7 44 PerlLoadModule Apache::Authn::SoundSoftware
Chris@7 45
Chris@7 46 # Example when using hgwebdir
Chris@7 47 ScriptAlias / "/var/hg/hgwebdir.cgi/"
Chris@7 48
Chris@7 49 <Location />
Chris@7 50 AuthName "Mercurial"
Chris@7 51 AuthType Basic
Chris@7 52 Require valid-user
Chris@7 53 PerlAccessHandler Apache::Authn::SoundSoftware::access_handler
Chris@7 54 PerlAuthenHandler Apache::Authn::SoundSoftware::authen_handler
Chris@7 55 SoundSoftwareDSN "DBI:mysql:database=redmine;host=localhost"
Chris@7 56 SoundSoftwareDbUser "redmine"
Chris@7 57 SoundSoftwareDbPass "password"
Chris@7 58 Options +ExecCGI
Chris@7 59 AddHandler cgi-script .cgi
Chris@7 60 ## Optional where clause (fulltext search would be slow and
Chris@7 61 ## database dependant).
Chris@7 62 # SoundSoftwareDbWhereClause "and members.role_id IN (1,2)"
Chris@8 63 ## Optional prefix for local repository URLs
Chris@8 64 # SoundSoftwareRepoPrefix "/var/hg/"
Chris@7 65 </Location>
Chris@7 66
Chris@7 67 See the original Redmine.pm for further configuration notes.
Chris@7 68
Chris@7 69 =cut
Chris@7 70
Chris@7 71 use strict;
Chris@7 72 use warnings FATAL => 'all', NONFATAL => 'redefine';
Chris@7 73
Chris@7 74 use DBI;
Chris@7 75 use Digest::SHA1;
Chris@7 76 use Authen::Simple::LDAP;
Chris@7 77 use Apache2::Module;
Chris@7 78 use Apache2::Access;
Chris@7 79 use Apache2::ServerRec qw();
Chris@7 80 use Apache2::RequestRec qw();
Chris@7 81 use Apache2::RequestUtil qw();
Chris@7 82 use Apache2::Const qw(:common :override :cmd_how);
Chris@7 83 use APR::Pool ();
Chris@7 84 use APR::Table ();
Chris@7 85
Chris@7 86 my @directives = (
Chris@7 87 {
Chris@7 88 name => 'SoundSoftwareDSN',
Chris@7 89 req_override => OR_AUTHCFG,
Chris@7 90 args_how => TAKE1,
Chris@7 91 errmsg => 'Dsn in format used by Perl DBI. eg: "DBI:Pg:dbname=databasename;host=my.db.server"',
Chris@7 92 },
Chris@7 93 {
Chris@7 94 name => 'SoundSoftwareDbUser',
Chris@7 95 req_override => OR_AUTHCFG,
Chris@7 96 args_how => TAKE1,
Chris@7 97 },
Chris@7 98 {
Chris@7 99 name => 'SoundSoftwareDbPass',
Chris@7 100 req_override => OR_AUTHCFG,
Chris@7 101 args_how => TAKE1,
Chris@7 102 },
Chris@7 103 {
Chris@7 104 name => 'SoundSoftwareDbWhereClause',
Chris@7 105 req_override => OR_AUTHCFG,
Chris@7 106 args_how => TAKE1,
Chris@7 107 },
Chris@7 108 {
Chris@8 109 name => 'SoundSoftwareRepoPrefix',
Chris@7 110 req_override => OR_AUTHCFG,
Chris@7 111 args_how => TAKE1,
Chris@7 112 },
Chris@7 113 );
Chris@7 114
Chris@7 115 sub SoundSoftwareDSN {
Chris@8 116 my ($self, $parms, $arg) = @_;
Chris@8 117 $self->{SoundSoftwareDSN} = $arg;
Chris@8 118 my $query = "SELECT
chris@301 119 hashed_password, salt, auth_source_id, permissions
Chris@7 120 FROM members, projects, users, roles, member_roles
Chris@7 121 WHERE
Chris@7 122 projects.id=members.project_id
Chris@7 123 AND member_roles.member_id=members.id
Chris@7 124 AND users.id=members.user_id
Chris@7 125 AND roles.id=member_roles.role_id
Chris@7 126 AND users.status=1
Chris@7 127 AND login=?
Chris@7 128 AND identifier=? ";
Chris@8 129 $self->{SoundSoftwareQuery} = trim($query);
Chris@7 130 }
Chris@7 131
Chris@7 132 sub SoundSoftwareDbUser { set_val('SoundSoftwareDbUser', @_); }
Chris@7 133 sub SoundSoftwareDbPass { set_val('SoundSoftwareDbPass', @_); }
Chris@7 134 sub SoundSoftwareDbWhereClause {
Chris@8 135 my ($self, $parms, $arg) = @_;
Chris@8 136 $self->{SoundSoftwareQuery} = trim($self->{SoundSoftwareQuery}.($arg ? $arg : "")." ");
Chris@7 137 }
Chris@7 138
Chris@8 139 sub SoundSoftwareRepoPrefix {
Chris@8 140 my ($self, $parms, $arg) = @_;
Chris@8 141 if ($arg) {
Chris@8 142 $self->{SoundSoftwareRepoPrefix} = $arg;
Chris@8 143 }
Chris@7 144 }
Chris@7 145
Chris@7 146 sub trim {
Chris@8 147 my $string = shift;
Chris@8 148 $string =~ s/\s{2,}/ /g;
Chris@8 149 return $string;
Chris@7 150 }
Chris@7 151
Chris@7 152 sub set_val {
Chris@8 153 my ($key, $self, $parms, $arg) = @_;
Chris@8 154 $self->{$key} = $arg;
Chris@7 155 }
Chris@7 156
Chris@7 157 Apache2::Module::add(__PACKAGE__, \@directives);
Chris@7 158
Chris@7 159
Chris@7 160 my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/;
Chris@7 161
Chris@7 162 sub access_handler {
Chris@8 163 my $r = shift;
Chris@7 164
Chris@517 165 print STDERR "SoundSoftware.pm:$$: In access handler at " . scalar localtime() . "\n";
Chris@7 166
Chris@8 167 unless ($r->some_auth_required) {
Chris@8 168 $r->log_reason("No authentication has been configured");
Chris@8 169 return FORBIDDEN;
Chris@8 170 }
Chris@7 171
Chris@8 172 my $method = $r->method;
Chris@7 173
Chris@517 174 print STDERR "SoundSoftware.pm:$$: Method: $method, uri " . $r->uri . ", location " . $r->location . "\n";
Chris@517 175 print STDERR "SoundSoftware.pm:$$: Accept: " . $r->headers_in->{Accept} . "\n";
Chris@7 176
Chris@8 177 my $dbh = connect_database($r);
Chris@152 178 unless ($dbh) {
Chris@517 179 print STDERR "SoundSoftware.pm:$$: Database connection failed!: " . $DBI::errstr . "\n";
Chris@152 180 return FORBIDDEN;
Chris@152 181 }
Chris@152 182
chris@300 183 print STDERR "Connected to db, dbh is " . $dbh . "\n";
Chris@7 184
Chris@8 185 my $project_id = get_project_identifier($dbh, $r);
chris@300 186
chris@300 187 if (!defined $read_only_methods{$method}) {
Chris@517 188 print STDERR "SoundSoftware.pm:$$: Method is not read-only\n";
chris@300 189 if (project_repo_is_readonly($dbh, $project_id, $r)) {
Chris@517 190 print STDERR "SoundSoftware.pm:$$: Project repo is read-only, refusing access\n";
chris@300 191 return FORBIDDEN;
chris@300 192 } else {
Chris@517 193 print STDERR "SoundSoftware.pm:$$: Project repo is read-write, authentication handler required\n";
chris@300 194 return OK;
chris@300 195 }
chris@300 196 }
chris@300 197
Chris@8 198 my $status = get_project_status($dbh, $project_id, $r);
Chris@7 199
Chris@8 200 $dbh->disconnect();
Chris@8 201 undef $dbh;
Chris@7 202
Chris@8 203 if ($status == 0) { # nonexistent
Chris@517 204 print STDERR "SoundSoftware.pm:$$: Project does not exist, refusing access\n";
Chris@8 205 return FORBIDDEN;
Chris@8 206 } elsif ($status == 1) { # public
Chris@517 207 print STDERR "SoundSoftware.pm:$$: Project is public, no restriction here\n";
Chris@8 208 $r->set_handlers(PerlAuthenHandler => [\&OK])
Chris@8 209 } else { # private
Chris@517 210 print STDERR "SoundSoftware.pm:$$: Project is private, authentication handler required\n";
Chris@8 211 }
Chris@7 212
Chris@8 213 return OK
Chris@7 214 }
Chris@7 215
Chris@7 216 sub authen_handler {
Chris@8 217 my $r = shift;
Chris@8 218
Chris@517 219 print STDERR "SoundSoftware.pm:$$: In authentication handler at " . scalar localtime() . "\n";
Chris@7 220
Chris@8 221 my $dbh = connect_database($r);
Chris@152 222 unless ($dbh) {
Chris@517 223 print STDERR "SoundSoftware.pm:$$: Database connection failed!: " . $DBI::errstr . "\n";
Chris@152 224 return AUTH_REQUIRED;
Chris@152 225 }
Chris@8 226
Chris@8 227 my $project_id = get_project_identifier($dbh, $r);
Chris@8 228 my $realm = get_realm($dbh, $project_id, $r);
Chris@8 229 $r->auth_name($realm);
Chris@8 230
Chris@8 231 my ($res, $redmine_pass) = $r->get_basic_auth_pw();
Chris@8 232 unless ($res == OK) {
Chris@8 233 $dbh->disconnect();
Chris@8 234 undef $dbh;
Chris@8 235 return $res;
Chris@8 236 }
Chris@8 237
Chris@517 238 print STDERR "SoundSoftware.pm:$$: User is " . $r->user . ", got password\n";
Chris@8 239
Chris@8 240 my $permitted = is_permitted($dbh, $project_id, $r->user, $redmine_pass, $r);
Chris@8 241
Chris@8 242 $dbh->disconnect();
Chris@8 243 undef $dbh;
Chris@8 244
Chris@8 245 if ($permitted) {
Chris@8 246 return OK;
Chris@8 247 } else {
Chris@517 248 print STDERR "SoundSoftware.pm:$$: Not permitted\n";
Chris@8 249 $r->note_auth_failure();
Chris@8 250 return AUTH_REQUIRED;
Chris@8 251 }
Chris@7 252 }
Chris@7 253
Chris@7 254 sub get_project_status {
Chris@8 255 my $dbh = shift;
Chris@7 256 my $project_id = shift;
Chris@7 257 my $r = shift;
Chris@8 258
Chris@8 259 if (!defined $project_id or $project_id eq '') {
Chris@8 260 return 0; # nonexistent
Chris@8 261 }
Chris@7 262
Chris@7 263 my $sth = $dbh->prepare(
Chris@7 264 "SELECT is_public FROM projects WHERE projects.identifier = ?;"
Chris@7 265 );
Chris@7 266
Chris@7 267 $sth->execute($project_id);
Chris@8 268 my $ret = 0; # nonexistent
Chris@7 269 if (my @row = $sth->fetchrow_array) {
Chris@7 270 if ($row[0] eq "1" || $row[0] eq "t") {
Chris@7 271 $ret = 1; # public
Chris@7 272 } else {
Chris@8 273 $ret = 2; # private
Chris@7 274 }
Chris@7 275 }
Chris@7 276 $sth->finish();
Chris@7 277 undef $sth;
Chris@7 278
Chris@7 279 $ret;
Chris@7 280 }
Chris@7 281
chris@300 282 sub project_repo_is_readonly {
chris@300 283 my $dbh = shift;
chris@300 284 my $project_id = shift;
chris@300 285 my $r = shift;
chris@300 286
chris@300 287 if (!defined $project_id or $project_id eq '') {
chris@300 288 return 0; # nonexistent
chris@300 289 }
chris@300 290
chris@300 291 my $sth = $dbh->prepare(
chris@300 292 "SELECT repositories.is_external FROM repositories, projects WHERE projects.identifier = ? AND repositories.project_id = projects.id;"
chris@300 293 );
chris@300 294
chris@300 295 $sth->execute($project_id);
chris@300 296 my $ret = 0; # nonexistent
chris@300 297 if (my @row = $sth->fetchrow_array) {
chris@301 298 if (defined($row[0]) && ($row[0] eq "1" || $row[0] eq "t")) {
chris@300 299 $ret = 1; # read-only (i.e. external)
chris@300 300 } else {
chris@300 301 $ret = 0; # read-write
chris@300 302 }
chris@300 303 }
chris@300 304 $sth->finish();
chris@300 305 undef $sth;
chris@300 306
chris@300 307 $ret;
chris@300 308 }
chris@300 309
Chris@8 310 sub is_permitted {
Chris@8 311 my $dbh = shift;
Chris@8 312 my $project_id = shift;
Chris@8 313 my $redmine_user = shift;
Chris@8 314 my $redmine_pass = shift;
Chris@8 315 my $r = shift;
Chris@7 316
Chris@8 317 my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);
Chris@7 318
Chris@8 319 my $cfg = Apache2::Module::get_config
Chris@8 320 (__PACKAGE__, $r->server, $r->per_dir_config);
Chris@7 321
Chris@8 322 my $query = $cfg->{SoundSoftwareQuery};
Chris@8 323 my $sth = $dbh->prepare($query);
Chris@8 324 $sth->execute($redmine_user, $project_id);
Chris@7 325
Chris@8 326 my $ret;
chris@301 327 while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) {
Chris@7 328
Chris@8 329 # Test permissions for this user before we verify credentials
Chris@8 330 # -- if the user is not permitted this action anyway, there's
Chris@8 331 # not much point in e.g. contacting the LDAP
Chris@7 332
Chris@8 333 my $method = $r->method;
Chris@7 334
Chris@8 335 if ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/)
Chris@8 336 || $permissions =~ /:commit_access/) {
Chris@8 337
Chris@8 338 # User would be permitted this action, if their
Chris@8 339 # credentials checked out -- test those now
Chris@8 340
Chris@8 341 print STDERR "SoundSoftware.pm: User $redmine_user has required role, checking credentials\n";
Chris@8 342
Chris@8 343 unless ($auth_source_id) {
chris@301 344 my $salted_password = Digest::SHA1::sha1_hex($salt.$pass_digest);
chris@301 345 if ($hashed_password eq $salted_password) {
Chris@8 346 print STDERR "SoundSoftware.pm: User $redmine_user authenticated via password\n";
Chris@8 347 $ret = 1;
Chris@8 348 last;
Chris@8 349 }
Chris@8 350 } else {
Chris@8 351 my $sthldap = $dbh->prepare(
Chris@8 352 "SELECT host,port,tls,account,account_password,base_dn,attr_login FROM auth_sources WHERE id = ?;"
Chris@8 353 );
Chris@8 354 $sthldap->execute($auth_source_id);
Chris@8 355 while (my @rowldap = $sthldap->fetchrow_array) {
Chris@8 356 my $ldap = Authen::Simple::LDAP->new(
Chris@8 357 host => ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]" : $rowldap[0],
Chris@8 358 port => $rowldap[1],
Chris@8 359 basedn => $rowldap[5],
Chris@8 360 binddn => $rowldap[3] ? $rowldap[3] : "",
Chris@8 361 bindpw => $rowldap[4] ? $rowldap[4] : "",
Chris@8 362 filter => "(".$rowldap[6]."=%s)"
Chris@8 363 );
Chris@8 364 if ($ldap->authenticate($redmine_user, $redmine_pass)) {
Chris@517 365 print STDERR "SoundSoftware.pm:$$: User $redmine_user authenticated via LDAP\n";
Chris@8 366 $ret = 1;
Chris@8 367 }
Chris@8 368 }
Chris@8 369 $sthldap->finish();
Chris@8 370 undef $sthldap;
Chris@8 371 }
Chris@8 372 } else {
Chris@517 373 print STDERR "SoundSoftware.pm:$$: User $redmine_user lacks required role for this project\n";
Chris@8 374 }
Chris@7 375 }
Chris@7 376
Chris@8 377 $sth->finish();
Chris@8 378 undef $sth;
Chris@8 379
Chris@8 380 $ret;
Chris@7 381 }
Chris@7 382
Chris@7 383 sub get_project_identifier {
Chris@8 384 my $dbh = shift;
Chris@7 385 my $r = shift;
Chris@7 386
Chris@7 387 my $location = $r->location;
Chris@7 388 my ($repo) = $r->uri =~ m{$location/*([^/]+)};
Chris@10 389
Chris@10 390 return $repo if (!$repo);
Chris@10 391
Chris@7 392 $repo =~ s/[^a-zA-Z0-9\._-]//g;
Chris@7 393
Chris@8 394 # The original Redmine.pm returns the string just calculated as
Chris@8 395 # the project identifier. That won't do for us -- we may have
Chris@8 396 # (and in fact already do have, in our test instance) projects
Chris@8 397 # whose repository names differ from the project identifiers.
Chris@8 398
Chris@8 399 # This is a rather fundamental change because it means that almost
Chris@8 400 # every request needs more than one database query -- which
Chris@8 401 # prompts us to start passing around $dbh instead of connecting
Chris@8 402 # locally within each function as is done in Redmine.pm.
Chris@8 403
Chris@7 404 my $sth = $dbh->prepare(
Chris@7 405 "SELECT projects.identifier FROM projects, repositories WHERE repositories.project_id = projects.id AND repositories.url LIKE ?;"
Chris@7 406 );
Chris@7 407
Chris@8 408 my $cfg = Apache2::Module::get_config
Chris@8 409 (__PACKAGE__, $r->server, $r->per_dir_config);
Chris@8 410
Chris@8 411 my $prefix = $cfg->{SoundSoftwareRepoPrefix};
Chris@8 412 if (!defined $prefix) { $prefix = '%/'; }
Chris@8 413
Chris@7 414 my $identifier = '';
Chris@7 415
Chris@8 416 $sth->execute($prefix . $repo);
Chris@7 417 my $ret = 0;
Chris@7 418 if (my @row = $sth->fetchrow_array) {
Chris@7 419 $identifier = $row[0];
Chris@7 420 }
Chris@7 421 $sth->finish();
Chris@7 422 undef $sth;
Chris@7 423
Chris@517 424 print STDERR "SoundSoftware.pm:$$: Repository '$repo' belongs to project '$identifier'\n";
Chris@7 425
Chris@7 426 $identifier;
Chris@7 427 }
Chris@7 428
Chris@8 429 sub get_realm {
Chris@8 430 my $dbh = shift;
Chris@8 431 my $project_id = shift;
Chris@8 432 my $r = shift;
Chris@8 433
Chris@8 434 my $sth = $dbh->prepare(
Chris@8 435 "SELECT projects.name FROM projects WHERE projects.identifier = ?;"
Chris@8 436 );
Chris@8 437
Chris@8 438 my $name = $project_id;
Chris@8 439
Chris@8 440 $sth->execute($project_id);
Chris@8 441 my $ret = 0;
Chris@8 442 if (my @row = $sth->fetchrow_array) {
Chris@8 443 $name = $row[0];
Chris@8 444 }
Chris@8 445 $sth->finish();
Chris@8 446 undef $sth;
Chris@8 447
Chris@8 448 # be timid about characters not permitted in auth realm and revert
Chris@8 449 # to project identifier if any are found
Chris@8 450 if ($name =~ m/[^\w\d\s\._-]/) {
Chris@8 451 $name = $project_id;
Chris@8 452 }
Chris@8 453
Chris@8 454 my $realm = '"Mercurial repository for ' . "'$name'" . '"';
Chris@8 455
Chris@8 456 $realm;
Chris@8 457 }
Chris@8 458
Chris@7 459 sub connect_database {
Chris@7 460 my $r = shift;
Chris@7 461
Chris@8 462 my $cfg = Apache2::Module::get_config
Chris@8 463 (__PACKAGE__, $r->server, $r->per_dir_config);
Chris@8 464
Chris@8 465 return DBI->connect($cfg->{SoundSoftwareDSN},
Chris@152 466 $cfg->{SoundSoftwareDbUser},
Chris@152 467 $cfg->{SoundSoftwareDbPass});
Chris@7 468 }
Chris@7 469
Chris@7 470 1;