Mercurial > hg > soundsoftware-site

annotate extra/soundsoftware/SoundSoftware.pm @ 892:f171d5dfaef0 bug_67

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Close obsolete branch bug_67
author Chris Cannam
date Wed, 09 Feb 2011 12:16:25 +0000
parents 5da98461a9f6
children 034e9b00b341
rev   line source
Chris@7 1 package Apache::Authn::SoundSoftware;
Chris@7 2
Chris@7 3 =head1 Apache::Authn::SoundSoftware
Chris@7 4
Chris@7 5 SoundSoftware - a mod_perl module for Apache authentication against a
Chris@7 6 Redmine database and optional LDAP implementing the access control
Chris@7 7 rules required for the SoundSoftware.ac.uk repository site.
Chris@7 8
Chris@7 9 =head1 SYNOPSIS
Chris@7 10
Chris@7 11 This module is closely based on the Redmine.pm authentication module
Chris@7 12 provided with Redmine. It is intended to be used for authentication
Chris@7 13 in front of a repository service such as hgwebdir.
Chris@7 14
Chris@7 15 Requirements:
Chris@7 16
Chris@7 17 1. Clone/pull from repo for public project: Any user, no
Chris@7 18 authentication required
Chris@7 19
Chris@7 20 2. Clone/pull from repo for private project: Project members only
Chris@7 21
Chris@7 22 3. Push to repo for public project: "Permitted" users only (this
Chris@8 23 probably means project members who are also identified in the hgrc web
Chris@8 24 section for the repository and so will be approved by hgwebdir?)
Chris@7 25
Chris@8 26 4. Push to repo for private project: "Permitted" users only (as above)
Chris@7 27
Chris@7 28 =head1 INSTALLATION
Chris@7 29
Chris@7 30 Debian/ubuntu:
Chris@7 31
Chris@7 32 apt-get install libapache-dbi-perl libapache2-mod-perl2 \
Chris@7 33 libdbd-mysql-perl libauthen-simple-ldap-perl libio-socket-ssl-perl
Chris@7 34
Chris@7 35 Note that LDAP support is hardcoded "on" in this script (it is
Chris@7 36 optional in the original Redmine.pm).
Chris@7 37
Chris@7 38 =head1 CONFIGURATION
Chris@7 39
Chris@7 40 ## This module has to be in your perl path
Chris@7 41 ## eg: /usr/local/lib/site_perl/Apache/Authn/SoundSoftware.pm
Chris@7 42 PerlLoadModule Apache::Authn::SoundSoftware
Chris@7 43
Chris@7 44 # Example when using hgwebdir
Chris@7 45 ScriptAlias / "/var/hg/hgwebdir.cgi/"
Chris@7 46
Chris@7 47 <Location />
Chris@7 48 AuthName "Mercurial"
Chris@7 49 AuthType Basic
Chris@7 50 Require valid-user
Chris@7 51 PerlAccessHandler Apache::Authn::SoundSoftware::access_handler
Chris@7 52 PerlAuthenHandler Apache::Authn::SoundSoftware::authen_handler
Chris@7 53 SoundSoftwareDSN "DBI:mysql:database=redmine;host=localhost"
Chris@7 54 SoundSoftwareDbUser "redmine"
Chris@7 55 SoundSoftwareDbPass "password"
Chris@7 56 Options +ExecCGI
Chris@7 57 AddHandler cgi-script .cgi
Chris@7 58 ## Optional where clause (fulltext search would be slow and
Chris@7 59 ## database dependant).
Chris@7 60 # SoundSoftwareDbWhereClause "and members.role_id IN (1,2)"
Chris@8 61 ## Optional prefix for local repository URLs
Chris@8 62 # SoundSoftwareRepoPrefix "/var/hg/"
Chris@7 63 </Location>
Chris@7 64
Chris@7 65 See the original Redmine.pm for further configuration notes.
Chris@7 66
Chris@7 67 =cut
Chris@7 68
Chris@7 69 use strict;
Chris@7 70 use warnings FATAL => 'all', NONFATAL => 'redefine';
Chris@7 71
Chris@7 72 use DBI;
Chris@7 73 use Digest::SHA1;
Chris@7 74 use Authen::Simple::LDAP;
Chris@7 75 use Apache2::Module;
Chris@7 76 use Apache2::Access;
Chris@7 77 use Apache2::ServerRec qw();
Chris@7 78 use Apache2::RequestRec qw();
Chris@7 79 use Apache2::RequestUtil qw();
Chris@7 80 use Apache2::Const qw(:common :override :cmd_how);
Chris@7 81 use APR::Pool ();
Chris@7 82 use APR::Table ();
Chris@7 83
Chris@7 84 my @directives = (
Chris@7 85 {
Chris@7 86 name => 'SoundSoftwareDSN',
Chris@7 87 req_override => OR_AUTHCFG,
Chris@7 88 args_how => TAKE1,
Chris@7 89 errmsg => 'Dsn in format used by Perl DBI. eg: "DBI:Pg:dbname=databasename;host=my.db.server"',
Chris@7 90 },
Chris@7 91 {
Chris@7 92 name => 'SoundSoftwareDbUser',
Chris@7 93 req_override => OR_AUTHCFG,
Chris@7 94 args_how => TAKE1,
Chris@7 95 },
Chris@7 96 {
Chris@7 97 name => 'SoundSoftwareDbPass',
Chris@7 98 req_override => OR_AUTHCFG,
Chris@7 99 args_how => TAKE1,
Chris@7 100 },
Chris@7 101 {
Chris@7 102 name => 'SoundSoftwareDbWhereClause',
Chris@7 103 req_override => OR_AUTHCFG,
Chris@7 104 args_how => TAKE1,
Chris@7 105 },
Chris@7 106 {
Chris@8 107 name => 'SoundSoftwareRepoPrefix',
Chris@7 108 req_override => OR_AUTHCFG,
Chris@7 109 args_how => TAKE1,
Chris@7 110 },
Chris@7 111 );
Chris@7 112
Chris@7 113 sub SoundSoftwareDSN {
Chris@8 114 my ($self, $parms, $arg) = @_;
Chris@8 115 $self->{SoundSoftwareDSN} = $arg;
Chris@8 116 my $query = "SELECT
Chris@7 117 hashed_password, auth_source_id, permissions
Chris@7 118 FROM members, projects, users, roles, member_roles
Chris@7 119 WHERE
Chris@7 120 projects.id=members.project_id
Chris@7 121 AND member_roles.member_id=members.id
Chris@7 122 AND users.id=members.user_id
Chris@7 123 AND roles.id=member_roles.role_id
Chris@7 124 AND users.status=1
Chris@7 125 AND login=?
Chris@7 126 AND identifier=? ";
Chris@8 127 $self->{SoundSoftwareQuery} = trim($query);
Chris@7 128 }
Chris@7 129
Chris@7 130 sub SoundSoftwareDbUser { set_val('SoundSoftwareDbUser', @_); }
Chris@7 131 sub SoundSoftwareDbPass { set_val('SoundSoftwareDbPass', @_); }
Chris@7 132 sub SoundSoftwareDbWhereClause {
Chris@8 133 my ($self, $parms, $arg) = @_;
Chris@8 134 $self->{SoundSoftwareQuery} = trim($self->{SoundSoftwareQuery}.($arg ? $arg : "")." ");
Chris@7 135 }
Chris@7 136
Chris@8 137 sub SoundSoftwareRepoPrefix {
Chris@8 138 my ($self, $parms, $arg) = @_;
Chris@8 139 if ($arg) {
Chris@8 140 $self->{SoundSoftwareRepoPrefix} = $arg;
Chris@8 141 }
Chris@7 142 }
Chris@7 143
Chris@7 144 sub trim {
Chris@8 145 my $string = shift;
Chris@8 146 $string =~ s/\s{2,}/ /g;
Chris@8 147 return $string;
Chris@7 148 }
Chris@7 149
Chris@7 150 sub set_val {
Chris@8 151 my ($key, $self, $parms, $arg) = @_;
Chris@8 152 $self->{$key} = $arg;
Chris@7 153 }
Chris@7 154
Chris@7 155 Apache2::Module::add(__PACKAGE__, \@directives);
Chris@7 156
Chris@7 157
Chris@7 158 my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/;
Chris@7 159
Chris@7 160 sub access_handler {
Chris@8 161 my $r = shift;
Chris@7 162
Chris@152 163 print STDERR "SoundSoftware.pm: In access handler at " . scalar localtime() . "\n";
Chris@7 164
Chris@8 165 unless ($r->some_auth_required) {
Chris@8 166 $r->log_reason("No authentication has been configured");
Chris@8 167 return FORBIDDEN;
Chris@8 168 }
Chris@7 169
Chris@8 170 my $method = $r->method;
Chris@7 171
Chris@8 172 print STDERR "SoundSoftware.pm: Method: $method, uri " . $r->uri . ", location " . $r->location . "\n";
Chris@8 173 print STDERR "SoundSoftware.pm: Accept: " . $r->headers_in->{Accept} . "\n";
Chris@7 174
Chris@8 175 if (!defined $read_only_methods{$method}) {
Chris@8 176 print STDERR "SoundSoftware.pm: Method is not read-only, authentication handler required\n";
Chris@8 177 return OK;
Chris@8 178 }
Chris@7 179
Chris@8 180 my $dbh = connect_database($r);
Chris@152 181 unless ($dbh) {
Chris@152 182 print STDERR "SoundSoftware.pm: Database connection failed!: " . $DBI::errstr . "\n";
Chris@152 183 return FORBIDDEN;
Chris@152 184 }
Chris@152 185
Chris@152 186
Chris@152 187 print STDERR "Connected to db, dbh is " . $dbh . "\n";
Chris@7 188
Chris@8 189 my $project_id = get_project_identifier($dbh, $r);
Chris@8 190 my $status = get_project_status($dbh, $project_id, $r);
Chris@7 191
Chris@8 192 $dbh->disconnect();
Chris@8 193 undef $dbh;
Chris@7 194
Chris@8 195 if ($status == 0) { # nonexistent
Chris@8 196 print STDERR "SoundSoftware.pm: Project does not exist, refusing access\n";
Chris@8 197 return FORBIDDEN;
Chris@8 198 } elsif ($status == 1) { # public
Chris@8 199 print STDERR "SoundSoftware.pm: Project is public, no restriction here\n";
Chris@8 200 $r->set_handlers(PerlAuthenHandler => [\&OK])
Chris@8 201 } else { # private
Chris@8 202 print STDERR "SoundSoftware.pm: Project is private, authentication handler required\n";
Chris@8 203 }
Chris@7 204
Chris@8 205 return OK
Chris@7 206 }
Chris@7 207
Chris@7 208 sub authen_handler {
Chris@8 209 my $r = shift;
Chris@8 210
Chris@152 211 print STDERR "SoundSoftware.pm: In authentication handler at " . scalar localtime() . "\n";
Chris@7 212
Chris@8 213 my $dbh = connect_database($r);
Chris@152 214 unless ($dbh) {
Chris@152 215 print STDERR "SoundSoftware.pm: Database connection failed!: " . $DBI::errstr . "\n";
Chris@152 216 return AUTH_REQUIRED;
Chris@152 217 }
Chris@8 218
Chris@8 219 my $project_id = get_project_identifier($dbh, $r);
Chris@8 220 my $realm = get_realm($dbh, $project_id, $r);
Chris@8 221 $r->auth_name($realm);
Chris@8 222
Chris@8 223 my ($res, $redmine_pass) = $r->get_basic_auth_pw();
Chris@8 224 unless ($res == OK) {
Chris@8 225 $dbh->disconnect();
Chris@8 226 undef $dbh;
Chris@8 227 return $res;
Chris@8 228 }
Chris@8 229
Chris@8 230 print STDERR "SoundSoftware.pm: User is " . $r->user . ", got password\n";
Chris@8 231
Chris@8 232 my $permitted = is_permitted($dbh, $project_id, $r->user, $redmine_pass, $r);
Chris@8 233
Chris@8 234 $dbh->disconnect();
Chris@8 235 undef $dbh;
Chris@8 236
Chris@8 237 if ($permitted) {
Chris@8 238 return OK;
Chris@8 239 } else {
Chris@8 240 print STDERR "SoundSoftware.pm: Not permitted\n";
Chris@8 241 $r->note_auth_failure();
Chris@8 242 return AUTH_REQUIRED;
Chris@8 243 }
Chris@7 244 }
Chris@7 245
Chris@7 246 sub get_project_status {
Chris@8 247 my $dbh = shift;
Chris@7 248 my $project_id = shift;
Chris@7 249 my $r = shift;
Chris@8 250
Chris@8 251 if (!defined $project_id or $project_id eq '') {
Chris@8 252 return 0; # nonexistent
Chris@8 253 }
Chris@7 254
Chris@7 255 my $sth = $dbh->prepare(
Chris@7 256 "SELECT is_public FROM projects WHERE projects.identifier = ?;"
Chris@7 257 );
Chris@7 258
Chris@7 259 $sth->execute($project_id);
Chris@8 260 my $ret = 0; # nonexistent
Chris@7 261 if (my @row = $sth->fetchrow_array) {
Chris@7 262 if ($row[0] eq "1" || $row[0] eq "t") {
Chris@7 263 $ret = 1; # public
Chris@7 264 } else {
Chris@8 265 $ret = 2; # private
Chris@7 266 }
Chris@7 267 }
Chris@7 268 $sth->finish();
Chris@7 269 undef $sth;
Chris@7 270
Chris@7 271 $ret;
Chris@7 272 }
Chris@7 273
Chris@8 274 sub is_permitted {
Chris@8 275 my $dbh = shift;
Chris@8 276 my $project_id = shift;
Chris@8 277 my $redmine_user = shift;
Chris@8 278 my $redmine_pass = shift;
Chris@8 279 my $r = shift;
Chris@7 280
Chris@8 281 my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);
Chris@7 282
Chris@8 283 my $cfg = Apache2::Module::get_config
Chris@8 284 (__PACKAGE__, $r->server, $r->per_dir_config);
Chris@7 285
Chris@8 286 my $query = $cfg->{SoundSoftwareQuery};
Chris@8 287 my $sth = $dbh->prepare($query);
Chris@8 288 $sth->execute($redmine_user, $project_id);
Chris@7 289
Chris@8 290 my $ret;
Chris@8 291 while (my ($hashed_password, $auth_source_id, $permissions) = $sth->fetchrow_array) {
Chris@7 292
Chris@8 293 # Test permissions for this user before we verify credentials
Chris@8 294 # -- if the user is not permitted this action anyway, there's
Chris@8 295 # not much point in e.g. contacting the LDAP
Chris@7 296
Chris@8 297 my $method = $r->method;
Chris@7 298
Chris@8 299 if ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/)
Chris@8 300 || $permissions =~ /:commit_access/) {
Chris@8 301
Chris@8 302 # User would be permitted this action, if their
Chris@8 303 # credentials checked out -- test those now
Chris@8 304
Chris@8 305 print STDERR "SoundSoftware.pm: User $redmine_user has required role, checking credentials\n";
Chris@8 306
Chris@8 307 unless ($auth_source_id) {
Chris@8 308 if ($hashed_password eq $pass_digest) {
Chris@8 309 print STDERR "SoundSoftware.pm: User $redmine_user authenticated via password\n";
Chris@8 310 $ret = 1;
Chris@8 311 last;
Chris@8 312 }
Chris@8 313 } else {
Chris@8 314 my $sthldap = $dbh->prepare(
Chris@8 315 "SELECT host,port,tls,account,account_password,base_dn,attr_login FROM auth_sources WHERE id = ?;"
Chris@8 316 );
Chris@8 317 $sthldap->execute($auth_source_id);
Chris@8 318 while (my @rowldap = $sthldap->fetchrow_array) {
Chris@8 319 my $ldap = Authen::Simple::LDAP->new(
Chris@8 320 host => ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]" : $rowldap[0],
Chris@8 321 port => $rowldap[1],
Chris@8 322 basedn => $rowldap[5],
Chris@8 323 binddn => $rowldap[3] ? $rowldap[3] : "",
Chris@8 324 bindpw => $rowldap[4] ? $rowldap[4] : "",
Chris@8 325 filter => "(".$rowldap[6]."=%s)"
Chris@8 326 );
Chris@8 327 if ($ldap->authenticate($redmine_user, $redmine_pass)) {
Chris@8 328 print STDERR "SoundSoftware.pm: User $redmine_user authenticated via LDAP\n";
Chris@8 329 $ret = 1;
Chris@8 330 }
Chris@8 331 }
Chris@8 332 $sthldap->finish();
Chris@8 333 undef $sthldap;
Chris@8 334 }
Chris@8 335 } else {
Chris@8 336 print STDERR "SoundSoftware.pm: User $redmine_user lacks required role for this project\n";
Chris@8 337 }
Chris@7 338 }
Chris@7 339
Chris@8 340 $sth->finish();
Chris@8 341 undef $sth;
Chris@8 342
Chris@8 343 $ret;
Chris@7 344 }
Chris@7 345
Chris@7 346 sub get_project_identifier {
Chris@8 347 my $dbh = shift;
Chris@7 348 my $r = shift;
Chris@7 349
Chris@7 350 my $location = $r->location;
Chris@7 351 my ($repo) = $r->uri =~ m{$location/*([^/]+)};
Chris@10 352
Chris@10 353 return $repo if (!$repo);
Chris@10 354
Chris@7 355 $repo =~ s/[^a-zA-Z0-9\._-]//g;
Chris@7 356
Chris@8 357 # The original Redmine.pm returns the string just calculated as
Chris@8 358 # the project identifier. That won't do for us -- we may have
Chris@8 359 # (and in fact already do have, in our test instance) projects
Chris@8 360 # whose repository names differ from the project identifiers.
Chris@8 361
Chris@8 362 # This is a rather fundamental change because it means that almost
Chris@8 363 # every request needs more than one database query -- which
Chris@8 364 # prompts us to start passing around $dbh instead of connecting
Chris@8 365 # locally within each function as is done in Redmine.pm.
Chris@8 366
Chris@7 367 my $sth = $dbh->prepare(
Chris@7 368 "SELECT projects.identifier FROM projects, repositories WHERE repositories.project_id = projects.id AND repositories.url LIKE ?;"
Chris@7 369 );
Chris@7 370
Chris@8 371 my $cfg = Apache2::Module::get_config
Chris@8 372 (__PACKAGE__, $r->server, $r->per_dir_config);
Chris@8 373
Chris@8 374 my $prefix = $cfg->{SoundSoftwareRepoPrefix};
Chris@8 375 if (!defined $prefix) { $prefix = '%/'; }
Chris@8 376
Chris@7 377 my $identifier = '';
Chris@7 378
Chris@8 379 $sth->execute($prefix . $repo);
Chris@7 380 my $ret = 0;
Chris@7 381 if (my @row = $sth->fetchrow_array) {
Chris@7 382 $identifier = $row[0];
Chris@7 383 }
Chris@7 384 $sth->finish();
Chris@7 385 undef $sth;
Chris@7 386
Chris@8 387 print STDERR "SoundSoftware.pm: Repository '$repo' belongs to project '$identifier'\n";
Chris@7 388
Chris@7 389 $identifier;
Chris@7 390 }
Chris@7 391
Chris@8 392 sub get_realm {
Chris@8 393 my $dbh = shift;
Chris@8 394 my $project_id = shift;
Chris@8 395 my $r = shift;
Chris@8 396
Chris@8 397 my $sth = $dbh->prepare(
Chris@8 398 "SELECT projects.name FROM projects WHERE projects.identifier = ?;"
Chris@8 399 );
Chris@8 400
Chris@8 401 my $name = $project_id;
Chris@8 402
Chris@8 403 $sth->execute($project_id);
Chris@8 404 my $ret = 0;
Chris@8 405 if (my @row = $sth->fetchrow_array) {
Chris@8 406 $name = $row[0];
Chris@8 407 }
Chris@8 408 $sth->finish();
Chris@8 409 undef $sth;
Chris@8 410
Chris@8 411 # be timid about characters not permitted in auth realm and revert
Chris@8 412 # to project identifier if any are found
Chris@8 413 if ($name =~ m/[^\w\d\s\._-]/) {
Chris@8 414 $name = $project_id;
Chris@8 415 }
Chris@8 416
Chris@8 417 my $realm = '"Mercurial repository for ' . "'$name'" . '"';
Chris@8 418
Chris@8 419 $realm;
Chris@8 420 }
Chris@8 421
Chris@7 422 sub connect_database {
Chris@7 423 my $r = shift;
Chris@7 424
Chris@8 425 my $cfg = Apache2::Module::get_config
Chris@8 426 (__PACKAGE__, $r->server, $r->per_dir_config);
Chris@8 427
Chris@8 428 return DBI->connect($cfg->{SoundSoftwareDSN},
Chris@152 429 $cfg->{SoundSoftwareDbUser},
Chris@152 430 $cfg->{SoundSoftwareDbPass});
Chris@7 431 }
Chris@7 432
Chris@7 433 1;