annotate .svn/pristine/58/58919c55a2dd0b48c7152f7b1adf06799d9cbcd6.svn-base @ 1327:287f201c2802 redmine-2.2-integration

Add italic
author Chris Cannam <chris.cannam@soundsoftware.ac.uk>
date Wed, 19 Jun 2013 20:56:22 +0100
parents 038ba2d95de8
children
rev   line source
Chris@1296 1 package Apache::Authn::Redmine;
Chris@1296 2
Chris@1296 3 =head1 Apache::Authn::Redmine
Chris@1296 4
Chris@1296 5 Redmine - a mod_perl module to authenticate webdav subversion users
Chris@1296 6 against redmine database
Chris@1296 7
Chris@1296 8 =head1 SYNOPSIS
Chris@1296 9
Chris@1296 10 This module allow anonymous users to browse public project and
Chris@1296 11 registred users to browse and commit their project. Authentication is
Chris@1296 12 done against the redmine database or the LDAP configured in redmine.
Chris@1296 13
Chris@1296 14 This method is far simpler than the one with pam_* and works with all
Chris@1296 15 database without an hassle but you need to have apache/mod_perl on the
Chris@1296 16 svn server.
Chris@1296 17
Chris@1296 18 =head1 INSTALLATION
Chris@1296 19
Chris@1296 20 For this to automagically work, you need to have a recent reposman.rb
Chris@1296 21 (after r860) and if you already use reposman, read the last section to
Chris@1296 22 migrate.
Chris@1296 23
Chris@1296 24 Sorry ruby users but you need some perl modules, at least mod_perl2,
Chris@1296 25 DBI and DBD::mysql (or the DBD driver for you database as it should
Chris@1296 26 work on allmost all databases).
Chris@1296 27
Chris@1296 28 On debian/ubuntu you must do :
Chris@1296 29
Chris@1296 30 aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl
Chris@1296 31
Chris@1296 32 If your Redmine users use LDAP authentication, you will also need
Chris@1296 33 Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):
Chris@1296 34
Chris@1296 35 aptitude install libauthen-simple-ldap-perl libio-socket-ssl-perl
Chris@1296 36
Chris@1296 37 =head1 CONFIGURATION
Chris@1296 38
Chris@1296 39 ## This module has to be in your perl path
Chris@1296 40 ## eg: /usr/lib/perl5/Apache/Authn/Redmine.pm
Chris@1296 41 PerlLoadModule Apache::Authn::Redmine
Chris@1296 42 <Location /svn>
Chris@1296 43 DAV svn
Chris@1296 44 SVNParentPath "/var/svn"
Chris@1296 45
Chris@1296 46 AuthType Basic
Chris@1296 47 AuthName redmine
Chris@1296 48 Require valid-user
Chris@1296 49
Chris@1296 50 PerlAccessHandler Apache::Authn::Redmine::access_handler
Chris@1296 51 PerlAuthenHandler Apache::Authn::Redmine::authen_handler
Chris@1296 52
Chris@1296 53 ## for mysql
Chris@1296 54 RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
Chris@1296 55 ## for postgres
Chris@1296 56 # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
Chris@1296 57
Chris@1296 58 RedmineDbUser "redmine"
Chris@1296 59 RedmineDbPass "password"
Chris@1296 60 ## Optional where clause (fulltext search would be slow and
Chris@1296 61 ## database dependant).
Chris@1296 62 # RedmineDbWhereClause "and members.role_id IN (1,2)"
Chris@1296 63 ## Optional credentials cache size
Chris@1296 64 # RedmineCacheCredsMax 50
Chris@1296 65 </Location>
Chris@1296 66
Chris@1296 67 To be able to browse repository inside redmine, you must add something
Chris@1296 68 like that :
Chris@1296 69
Chris@1296 70 <Location /svn-private>
Chris@1296 71 DAV svn
Chris@1296 72 SVNParentPath "/var/svn"
Chris@1296 73 Order deny,allow
Chris@1296 74 Deny from all
Chris@1296 75 # only allow reading orders
Chris@1296 76 <Limit GET PROPFIND OPTIONS REPORT>
Chris@1296 77 Allow from redmine.server.ip
Chris@1296 78 </Limit>
Chris@1296 79 </Location>
Chris@1296 80
Chris@1296 81 and you will have to use this reposman.rb command line to create repository :
Chris@1296 82
Chris@1296 83 reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/
Chris@1296 84
Chris@1296 85 =head1 REPOSITORIES NAMING
Chris@1296 86
Chris@1296 87 A projet repository must be named with the projet identifier. In case
Chris@1296 88 of multiple repositories for the same project, use the project identifier
Chris@1296 89 and the repository identifier separated with a dot:
Chris@1296 90
Chris@1296 91 /var/svn/foo
Chris@1296 92 /var/svn/foo.otherrepo
Chris@1296 93
Chris@1296 94 =head1 MIGRATION FROM OLDER RELEASES
Chris@1296 95
Chris@1296 96 If you use an older reposman.rb (r860 or before), you need to change
Chris@1296 97 rights on repositories to allow the apache user to read and write
Chris@1296 98 S<them :>
Chris@1296 99
Chris@1296 100 sudo chown -R www-data /var/svn/*
Chris@1296 101 sudo chmod -R u+w /var/svn/*
Chris@1296 102
Chris@1296 103 And you need to upgrade at least reposman.rb (after r860).
Chris@1296 104
Chris@1296 105 =head1 GIT SMART HTTP SUPPORT
Chris@1296 106
Chris@1296 107 Git's smart HTTP protocol (available since Git 1.7.0) will not work with the
Chris@1296 108 above settings. Redmine.pm normally does access control depending on the HTTP
Chris@1296 109 method used: read-only methods are OK for everyone in public projects and
Chris@1296 110 members with read rights in private projects. The rest require membership with
Chris@1296 111 commit rights in the project.
Chris@1296 112
Chris@1296 113 However, this scheme doesn't work for Git's smart HTTP protocol, as it will use
Chris@1296 114 POST even for a simple clone. Instead, read-only requests must be detected using
Chris@1296 115 the full URL (including the query string): anything that doesn't belong to the
Chris@1296 116 git-receive-pack service is read-only.
Chris@1296 117
Chris@1296 118 To activate this mode of operation, add this line inside your <Location /git>
Chris@1296 119 block:
Chris@1296 120
Chris@1296 121 RedmineGitSmartHttp yes
Chris@1296 122
Chris@1296 123 Here's a sample Apache configuration which integrates git-http-backend with
Chris@1296 124 a MySQL database and this new option:
Chris@1296 125
Chris@1296 126 SetEnv GIT_PROJECT_ROOT /var/www/git/
Chris@1296 127 SetEnv GIT_HTTP_EXPORT_ALL
Chris@1296 128 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
Chris@1296 129 <Location /git>
Chris@1296 130 Order allow,deny
Chris@1296 131 Allow from all
Chris@1296 132
Chris@1296 133 AuthType Basic
Chris@1296 134 AuthName Git
Chris@1296 135 Require valid-user
Chris@1296 136
Chris@1296 137 PerlAccessHandler Apache::Authn::Redmine::access_handler
Chris@1296 138 PerlAuthenHandler Apache::Authn::Redmine::authen_handler
Chris@1296 139 # for mysql
Chris@1296 140 RedmineDSN "DBI:mysql:database=redmine;host=127.0.0.1"
Chris@1296 141 RedmineDbUser "redmine"
Chris@1296 142 RedmineDbPass "xxx"
Chris@1296 143 RedmineGitSmartHttp yes
Chris@1296 144 </Location>
Chris@1296 145
Chris@1296 146 Make sure that all the names of the repositories under /var/www/git/ have a
Chris@1296 147 matching identifier for some project: /var/www/git/myproject and
Chris@1296 148 /var/www/git/myproject.git will work. You can put both bare and non-bare
Chris@1296 149 repositories in /var/www/git, though bare repositories are strongly
Chris@1296 150 recommended. You should create them with the rights of the user running Redmine,
Chris@1296 151 like this:
Chris@1296 152
Chris@1296 153 cd /var/www/git
Chris@1296 154 sudo -u user-running-redmine mkdir myproject
Chris@1296 155 cd myproject
Chris@1296 156 sudo -u user-running-redmine git init --bare
Chris@1296 157
Chris@1296 158 Once you have activated this option, you have three options when cloning a
Chris@1296 159 repository:
Chris@1296 160
Chris@1296 161 - Cloning using "http://user@host/git/repo(.git)" works, but will ask for the password
Chris@1296 162 all the time.
Chris@1296 163
Chris@1296 164 - Cloning with "http://user:pass@host/git/repo(.git)" does not have this problem, but
Chris@1296 165 this could reveal accidentally your password to the console in some versions
Chris@1296 166 of Git, and you would have to ensure that .git/config is not readable except
Chris@1296 167 by the owner for each of your projects.
Chris@1296 168
Chris@1296 169 - Use "http://host/git/repo(.git)", and store your credentials in the ~/.netrc
Chris@1296 170 file. This is the recommended solution, as you only have one file to protect
Chris@1296 171 and passwords will not be leaked accidentally to the console.
Chris@1296 172
Chris@1296 173 IMPORTANT NOTE: It is *very important* that the file cannot be read by other
Chris@1296 174 users, as it will contain your password in cleartext. To create the file, you
Chris@1296 175 can use the following commands, replacing yourhost, youruser and yourpassword
Chris@1296 176 with the right values:
Chris@1296 177
Chris@1296 178 touch ~/.netrc
Chris@1296 179 chmod 600 ~/.netrc
Chris@1296 180 echo -e "machine yourhost\nlogin youruser\npassword yourpassword" > ~/.netrc
Chris@1296 181
Chris@1296 182 =cut
Chris@1296 183
Chris@1296 184 use strict;
Chris@1296 185 use warnings FATAL => 'all', NONFATAL => 'redefine';
Chris@1296 186
Chris@1296 187 use DBI;
Chris@1296 188 use Digest::SHA;
Chris@1296 189 # optional module for LDAP authentication
Chris@1296 190 my $CanUseLDAPAuth = eval("use Authen::Simple::LDAP; 1");
Chris@1296 191
Chris@1296 192 use Apache2::Module;
Chris@1296 193 use Apache2::Access;
Chris@1296 194 use Apache2::ServerRec qw();
Chris@1296 195 use Apache2::RequestRec qw();
Chris@1296 196 use Apache2::RequestUtil qw();
Chris@1296 197 use Apache2::Const qw(:common :override :cmd_how);
Chris@1296 198 use APR::Pool ();
Chris@1296 199 use APR::Table ();
Chris@1296 200
Chris@1296 201 # use Apache2::Directive qw();
Chris@1296 202
Chris@1296 203 my @directives = (
Chris@1296 204 {
Chris@1296 205 name => 'RedmineDSN',
Chris@1296 206 req_override => OR_AUTHCFG,
Chris@1296 207 args_how => TAKE1,
Chris@1296 208 errmsg => 'Dsn in format used by Perl DBI. eg: "DBI:Pg:dbname=databasename;host=my.db.server"',
Chris@1296 209 },
Chris@1296 210 {
Chris@1296 211 name => 'RedmineDbUser',
Chris@1296 212 req_override => OR_AUTHCFG,
Chris@1296 213 args_how => TAKE1,
Chris@1296 214 },
Chris@1296 215 {
Chris@1296 216 name => 'RedmineDbPass',
Chris@1296 217 req_override => OR_AUTHCFG,
Chris@1296 218 args_how => TAKE1,
Chris@1296 219 },
Chris@1296 220 {
Chris@1296 221 name => 'RedmineDbWhereClause',
Chris@1296 222 req_override => OR_AUTHCFG,
Chris@1296 223 args_how => TAKE1,
Chris@1296 224 },
Chris@1296 225 {
Chris@1296 226 name => 'RedmineCacheCredsMax',
Chris@1296 227 req_override => OR_AUTHCFG,
Chris@1296 228 args_how => TAKE1,
Chris@1296 229 errmsg => 'RedmineCacheCredsMax must be decimal number',
Chris@1296 230 },
Chris@1296 231 {
Chris@1296 232 name => 'RedmineGitSmartHttp',
Chris@1296 233 req_override => OR_AUTHCFG,
Chris@1296 234 args_how => TAKE1,
Chris@1296 235 },
Chris@1296 236 );
Chris@1296 237
Chris@1296 238 sub RedmineDSN {
Chris@1296 239 my ($self, $parms, $arg) = @_;
Chris@1296 240 $self->{RedmineDSN} = $arg;
Chris@1296 241 my $query = "SELECT
Chris@1296 242 users.hashed_password, users.salt, users.auth_source_id, roles.permissions, projects.status
Chris@1296 243 FROM projects, users, roles
Chris@1296 244 WHERE
Chris@1296 245 users.login=?
Chris@1296 246 AND projects.identifier=?
Chris@1296 247 AND users.status=1
Chris@1296 248 AND (
Chris@1296 249 roles.id IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = users.id AND members.project_id = projects.id AND members.id = member_roles.member_id)
Chris@1296 250 OR
Chris@1296 251 (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1'))
Chris@1296 252 )
Chris@1296 253 AND roles.permissions IS NOT NULL";
Chris@1296 254 $self->{RedmineQuery} = trim($query);
Chris@1296 255 }
Chris@1296 256
Chris@1296 257 sub RedmineDbUser { set_val('RedmineDbUser', @_); }
Chris@1296 258 sub RedmineDbPass { set_val('RedmineDbPass', @_); }
Chris@1296 259 sub RedmineDbWhereClause {
Chris@1296 260 my ($self, $parms, $arg) = @_;
Chris@1296 261 $self->{RedmineQuery} = trim($self->{RedmineQuery}.($arg ? $arg : "")." ");
Chris@1296 262 }
Chris@1296 263
Chris@1296 264 sub RedmineCacheCredsMax {
Chris@1296 265 my ($self, $parms, $arg) = @_;
Chris@1296 266 if ($arg) {
Chris@1296 267 $self->{RedmineCachePool} = APR::Pool->new;
Chris@1296 268 $self->{RedmineCacheCreds} = APR::Table::make($self->{RedmineCachePool}, $arg);
Chris@1296 269 $self->{RedmineCacheCredsCount} = 0;
Chris@1296 270 $self->{RedmineCacheCredsMax} = $arg;
Chris@1296 271 }
Chris@1296 272 }
Chris@1296 273
Chris@1296 274 sub RedmineGitSmartHttp {
Chris@1296 275 my ($self, $parms, $arg) = @_;
Chris@1296 276 $arg = lc $arg;
Chris@1296 277
Chris@1296 278 if ($arg eq "yes" || $arg eq "true") {
Chris@1296 279 $self->{RedmineGitSmartHttp} = 1;
Chris@1296 280 } else {
Chris@1296 281 $self->{RedmineGitSmartHttp} = 0;
Chris@1296 282 }
Chris@1296 283 }
Chris@1296 284
Chris@1296 285 sub trim {
Chris@1296 286 my $string = shift;
Chris@1296 287 $string =~ s/\s{2,}/ /g;
Chris@1296 288 return $string;
Chris@1296 289 }
Chris@1296 290
Chris@1296 291 sub set_val {
Chris@1296 292 my ($key, $self, $parms, $arg) = @_;
Chris@1296 293 $self->{$key} = $arg;
Chris@1296 294 }
Chris@1296 295
Chris@1296 296 Apache2::Module::add(__PACKAGE__, \@directives);
Chris@1296 297
Chris@1296 298
Chris@1296 299 my %read_only_methods = map { $_ => 1 } qw/GET HEAD PROPFIND REPORT OPTIONS/;
Chris@1296 300
Chris@1296 301 sub request_is_read_only {
Chris@1296 302 my ($r) = @_;
Chris@1296 303 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1296 304
Chris@1296 305 # Do we use Git's smart HTTP protocol, or not?
Chris@1296 306 if (defined $cfg->{RedmineGitSmartHttp} and $cfg->{RedmineGitSmartHttp}) {
Chris@1296 307 my $uri = $r->unparsed_uri;
Chris@1296 308 my $location = $r->location;
Chris@1296 309 my $is_read_only = $uri !~ m{^$location/*[^/]+/+(info/refs\?service=)?git\-receive\-pack$}o;
Chris@1296 310 return $is_read_only;
Chris@1296 311 } else {
Chris@1296 312 # Standard behaviour: check the HTTP method
Chris@1296 313 my $method = $r->method;
Chris@1296 314 return defined $read_only_methods{$method};
Chris@1296 315 }
Chris@1296 316 }
Chris@1296 317
Chris@1296 318 sub access_handler {
Chris@1296 319 my $r = shift;
Chris@1296 320
Chris@1296 321 unless ($r->some_auth_required) {
Chris@1296 322 $r->log_reason("No authentication has been configured");
Chris@1296 323 return FORBIDDEN;
Chris@1296 324 }
Chris@1296 325
Chris@1296 326 return OK unless request_is_read_only($r);
Chris@1296 327
Chris@1296 328 my $project_id = get_project_identifier($r);
Chris@1296 329
Chris@1296 330 $r->set_handlers(PerlAuthenHandler => [\&OK])
Chris@1296 331 if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
Chris@1296 332
Chris@1296 333 return OK
Chris@1296 334 }
Chris@1296 335
Chris@1296 336 sub authen_handler {
Chris@1296 337 my $r = shift;
Chris@1296 338
Chris@1296 339 my ($res, $redmine_pass) = $r->get_basic_auth_pw();
Chris@1296 340 return $res unless $res == OK;
Chris@1296 341
Chris@1296 342 if (is_member($r->user, $redmine_pass, $r)) {
Chris@1296 343 return OK;
Chris@1296 344 } else {
Chris@1296 345 $r->note_auth_failure();
Chris@1296 346 return DECLINED;
Chris@1296 347 }
Chris@1296 348 }
Chris@1296 349
Chris@1296 350 # check if authentication is forced
Chris@1296 351 sub is_authentication_forced {
Chris@1296 352 my $r = shift;
Chris@1296 353
Chris@1296 354 my $dbh = connect_database($r);
Chris@1296 355 my $sth = $dbh->prepare(
Chris@1296 356 "SELECT value FROM settings where settings.name = 'login_required';"
Chris@1296 357 );
Chris@1296 358
Chris@1296 359 $sth->execute();
Chris@1296 360 my $ret = 0;
Chris@1296 361 if (my @row = $sth->fetchrow_array) {
Chris@1296 362 if ($row[0] eq "1" || $row[0] eq "t") {
Chris@1296 363 $ret = 1;
Chris@1296 364 }
Chris@1296 365 }
Chris@1296 366 $sth->finish();
Chris@1296 367 undef $sth;
Chris@1296 368
Chris@1296 369 $dbh->disconnect();
Chris@1296 370 undef $dbh;
Chris@1296 371
Chris@1296 372 $ret;
Chris@1296 373 }
Chris@1296 374
Chris@1296 375 sub is_public_project {
Chris@1296 376 my $project_id = shift;
Chris@1296 377 my $r = shift;
Chris@1296 378
Chris@1296 379 if (is_authentication_forced($r)) {
Chris@1296 380 return 0;
Chris@1296 381 }
Chris@1296 382
Chris@1296 383 my $dbh = connect_database($r);
Chris@1296 384 my $sth = $dbh->prepare(
Chris@1296 385 "SELECT is_public FROM projects WHERE projects.identifier = ? AND projects.status <> 9;"
Chris@1296 386 );
Chris@1296 387
Chris@1296 388 $sth->execute($project_id);
Chris@1296 389 my $ret = 0;
Chris@1296 390 if (my @row = $sth->fetchrow_array) {
Chris@1296 391 if ($row[0] eq "1" || $row[0] eq "t") {
Chris@1296 392 $ret = 1;
Chris@1296 393 }
Chris@1296 394 }
Chris@1296 395 $sth->finish();
Chris@1296 396 undef $sth;
Chris@1296 397 $dbh->disconnect();
Chris@1296 398 undef $dbh;
Chris@1296 399
Chris@1296 400 $ret;
Chris@1296 401 }
Chris@1296 402
Chris@1296 403 sub anonymous_role_allows_browse_repository {
Chris@1296 404 my $r = shift;
Chris@1296 405
Chris@1296 406 my $dbh = connect_database($r);
Chris@1296 407 my $sth = $dbh->prepare(
Chris@1296 408 "SELECT permissions FROM roles WHERE builtin = 2;"
Chris@1296 409 );
Chris@1296 410
Chris@1296 411 $sth->execute();
Chris@1296 412 my $ret = 0;
Chris@1296 413 if (my @row = $sth->fetchrow_array) {
Chris@1296 414 if ($row[0] =~ /:browse_repository/) {
Chris@1296 415 $ret = 1;
Chris@1296 416 }
Chris@1296 417 }
Chris@1296 418 $sth->finish();
Chris@1296 419 undef $sth;
Chris@1296 420 $dbh->disconnect();
Chris@1296 421 undef $dbh;
Chris@1296 422
Chris@1296 423 $ret;
Chris@1296 424 }
Chris@1296 425
Chris@1296 426 # perhaps we should use repository right (other read right) to check public access.
Chris@1296 427 # it could be faster BUT it doesn't work for the moment.
Chris@1296 428 # sub is_public_project_by_file {
Chris@1296 429 # my $project_id = shift;
Chris@1296 430 # my $r = shift;
Chris@1296 431
Chris@1296 432 # my $tree = Apache2::Directive::conftree();
Chris@1296 433 # my $node = $tree->lookup('Location', $r->location);
Chris@1296 434 # my $hash = $node->as_hash;
Chris@1296 435
Chris@1296 436 # my $svnparentpath = $hash->{SVNParentPath};
Chris@1296 437 # my $repos_path = $svnparentpath . "/" . $project_id;
Chris@1296 438 # return 1 if (stat($repos_path))[2] & 00007;
Chris@1296 439 # }
Chris@1296 440
Chris@1296 441 sub is_member {
Chris@1296 442 my $redmine_user = shift;
Chris@1296 443 my $redmine_pass = shift;
Chris@1296 444 my $r = shift;
Chris@1296 445
Chris@1296 446 my $dbh = connect_database($r);
Chris@1296 447 my $project_id = get_project_identifier($r);
Chris@1296 448
Chris@1296 449 my $pass_digest = Digest::SHA::sha1_hex($redmine_pass);
Chris@1296 450
Chris@1296 451 my $access_mode = request_is_read_only($r) ? "R" : "W";
Chris@1296 452
Chris@1296 453 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1296 454 my $usrprojpass;
Chris@1296 455 if ($cfg->{RedmineCacheCredsMax}) {
Chris@1296 456 $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode);
Chris@1296 457 return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
Chris@1296 458 }
Chris@1296 459 my $query = $cfg->{RedmineQuery};
Chris@1296 460 my $sth = $dbh->prepare($query);
Chris@1296 461 $sth->execute($redmine_user, $project_id);
Chris@1296 462
Chris@1296 463 my $ret;
Chris@1296 464 while (my ($hashed_password, $salt, $auth_source_id, $permissions, $project_status) = $sth->fetchrow_array) {
Chris@1296 465 if ($project_status eq "9" || ($project_status ne "1" && $access_mode eq "W")) {
Chris@1296 466 last;
Chris@1296 467 }
Chris@1296 468
Chris@1296 469 unless ($auth_source_id) {
Chris@1296 470 my $method = $r->method;
Chris@1296 471 my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest);
Chris@1296 472 if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
Chris@1296 473 $ret = 1;
Chris@1296 474 last;
Chris@1296 475 }
Chris@1296 476 } elsif ($CanUseLDAPAuth) {
Chris@1296 477 my $sthldap = $dbh->prepare(
Chris@1296 478 "SELECT host,port,tls,account,account_password,base_dn,attr_login from auth_sources WHERE id = ?;"
Chris@1296 479 );
Chris@1296 480 $sthldap->execute($auth_source_id);
Chris@1296 481 while (my @rowldap = $sthldap->fetchrow_array) {
Chris@1296 482 my $bind_as = $rowldap[3] ? $rowldap[3] : "";
Chris@1296 483 my $bind_pw = $rowldap[4] ? $rowldap[4] : "";
Chris@1296 484 if ($bind_as =~ m/\$login/) {
Chris@1296 485 # replace $login with $redmine_user and use $redmine_pass
Chris@1296 486 $bind_as =~ s/\$login/$redmine_user/g;
Chris@1296 487 $bind_pw = $redmine_pass
Chris@1296 488 }
Chris@1296 489 my $ldap = Authen::Simple::LDAP->new(
Chris@1296 490 host => ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]:$rowldap[1]" : $rowldap[0],
Chris@1296 491 port => $rowldap[1],
Chris@1296 492 basedn => $rowldap[5],
Chris@1296 493 binddn => $bind_as,
Chris@1296 494 bindpw => $bind_pw,
Chris@1296 495 filter => "(".$rowldap[6]."=%s)"
Chris@1296 496 );
Chris@1296 497 my $method = $r->method;
Chris@1296 498 $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
Chris@1296 499
Chris@1296 500 }
Chris@1296 501 $sthldap->finish();
Chris@1296 502 undef $sthldap;
Chris@1296 503 }
Chris@1296 504 }
Chris@1296 505 $sth->finish();
Chris@1296 506 undef $sth;
Chris@1296 507 $dbh->disconnect();
Chris@1296 508 undef $dbh;
Chris@1296 509
Chris@1296 510 if ($cfg->{RedmineCacheCredsMax} and $ret) {
Chris@1296 511 if (defined $usrprojpass) {
Chris@1296 512 $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
Chris@1296 513 } else {
Chris@1296 514 if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) {
Chris@1296 515 $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
Chris@1296 516 $cfg->{RedmineCacheCredsCount}++;
Chris@1296 517 } else {
Chris@1296 518 $cfg->{RedmineCacheCreds}->clear();
Chris@1296 519 $cfg->{RedmineCacheCredsCount} = 0;
Chris@1296 520 }
Chris@1296 521 }
Chris@1296 522 }
Chris@1296 523
Chris@1296 524 $ret;
Chris@1296 525 }
Chris@1296 526
Chris@1296 527 sub get_project_identifier {
Chris@1296 528 my $r = shift;
Chris@1296 529
Chris@1296 530 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1296 531 my $location = $r->location;
Chris@1296 532 $location =~ s/\.git$// if (defined $cfg->{RedmineGitSmartHttp} and $cfg->{RedmineGitSmartHttp});
Chris@1296 533 my ($identifier) = $r->uri =~ m{$location/*([^/.]+)};
Chris@1296 534 $identifier;
Chris@1296 535 }
Chris@1296 536
Chris@1296 537 sub connect_database {
Chris@1296 538 my $r = shift;
Chris@1296 539
Chris@1296 540 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1296 541 return DBI->connect($cfg->{RedmineDSN}, $cfg->{RedmineDbUser}, $cfg->{RedmineDbPass});
Chris@1296 542 }
Chris@1296 543
Chris@1296 544 1;