Mercurial > hg > soundsoftware-site

annotate .svn/pristine/7b/7b72cc518aa8eb0a7421ff01464081caccb29686.svn-base @ 1519:afce8026aaeb redmine-2.4-integration

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge from branch "live"
author Chris Cannam
date Tue, 09 Sep 2014 09:34:53 +0100
parents 261b3d9a4903
children
rev   line source
Chris@1464 1 package Apache::Authn::Redmine;
Chris@1464 2
Chris@1464 3 =head1 Apache::Authn::Redmine
Chris@1464 4
Chris@1464 5 Redmine - a mod_perl module to authenticate webdav subversion users
Chris@1464 6 against redmine database
Chris@1464 7
Chris@1464 8 =head1 SYNOPSIS
Chris@1464 9
Chris@1464 10 This module allow anonymous users to browse public project and
Chris@1464 11 registred users to browse and commit their project. Authentication is
Chris@1464 12 done against the redmine database or the LDAP configured in redmine.
Chris@1464 13
Chris@1464 14 This method is far simpler than the one with pam_* and works with all
Chris@1464 15 database without an hassle but you need to have apache/mod_perl on the
Chris@1464 16 svn server.
Chris@1464 17
Chris@1464 18 =head1 INSTALLATION
Chris@1464 19
Chris@1464 20 For this to automagically work, you need to have a recent reposman.rb
Chris@1464 21 (after r860) and if you already use reposman, read the last section to
Chris@1464 22 migrate.
Chris@1464 23
Chris@1464 24 Sorry ruby users but you need some perl modules, at least mod_perl2,
Chris@1464 25 DBI and DBD::mysql (or the DBD driver for you database as it should
Chris@1464 26 work on allmost all databases).
Chris@1464 27
Chris@1464 28 On debian/ubuntu you must do :
Chris@1464 29
Chris@1464 30 aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl
Chris@1464 31
Chris@1464 32 If your Redmine users use LDAP authentication, you will also need
Chris@1464 33 Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):
Chris@1464 34
Chris@1464 35 aptitude install libauthen-simple-ldap-perl libio-socket-ssl-perl
Chris@1464 36
Chris@1464 37 =head1 CONFIGURATION
Chris@1464 38
Chris@1464 39 ## This module has to be in your perl path
Chris@1464 40 ## eg: /usr/lib/perl5/Apache/Authn/Redmine.pm
Chris@1464 41 PerlLoadModule Apache::Authn::Redmine
Chris@1464 42 <Location /svn>
Chris@1464 43 DAV svn
Chris@1464 44 SVNParentPath "/var/svn"
Chris@1464 45
Chris@1464 46 AuthType Basic
Chris@1464 47 AuthName redmine
Chris@1464 48 Require valid-user
Chris@1464 49
Chris@1464 50 PerlAccessHandler Apache::Authn::Redmine::access_handler
Chris@1464 51 PerlAuthenHandler Apache::Authn::Redmine::authen_handler
Chris@1464 52
Chris@1464 53 ## for mysql
Chris@1464 54 RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
Chris@1464 55 ## for postgres
Chris@1464 56 # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
Chris@1464 57
Chris@1464 58 RedmineDbUser "redmine"
Chris@1464 59 RedmineDbPass "password"
Chris@1464 60 ## Optional where clause (fulltext search would be slow and
Chris@1464 61 ## database dependant).
Chris@1464 62 # RedmineDbWhereClause "and members.role_id IN (1,2)"
Chris@1464 63 ## Optional credentials cache size
Chris@1464 64 # RedmineCacheCredsMax 50
Chris@1464 65 </Location>
Chris@1464 66
Chris@1464 67 To be able to browse repository inside redmine, you must add something
Chris@1464 68 like that :
Chris@1464 69
Chris@1464 70 <Location /svn-private>
Chris@1464 71 DAV svn
Chris@1464 72 SVNParentPath "/var/svn"
Chris@1464 73 Order deny,allow
Chris@1464 74 Deny from all
Chris@1464 75 # only allow reading orders
Chris@1464 76 <Limit GET PROPFIND OPTIONS REPORT>
Chris@1464 77 Allow from redmine.server.ip
Chris@1464 78 </Limit>
Chris@1464 79 </Location>
Chris@1464 80
Chris@1464 81 and you will have to use this reposman.rb command line to create repository :
Chris@1464 82
Chris@1464 83 reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/
Chris@1464 84
Chris@1464 85 =head1 REPOSITORIES NAMING
Chris@1464 86
Chris@1464 87 A projet repository must be named with the projet identifier. In case
Chris@1464 88 of multiple repositories for the same project, use the project identifier
Chris@1464 89 and the repository identifier separated with a dot:
Chris@1464 90
Chris@1464 91 /var/svn/foo
Chris@1464 92 /var/svn/foo.otherrepo
Chris@1464 93
Chris@1464 94 =head1 MIGRATION FROM OLDER RELEASES
Chris@1464 95
Chris@1464 96 If you use an older reposman.rb (r860 or before), you need to change
Chris@1464 97 rights on repositories to allow the apache user to read and write
Chris@1464 98 S<them :>
Chris@1464 99
Chris@1464 100 sudo chown -R www-data /var/svn/*
Chris@1464 101 sudo chmod -R u+w /var/svn/*
Chris@1464 102
Chris@1464 103 And you need to upgrade at least reposman.rb (after r860).
Chris@1464 104
Chris@1464 105 =head1 GIT SMART HTTP SUPPORT
Chris@1464 106
Chris@1464 107 Git's smart HTTP protocol (available since Git 1.7.0) will not work with the
Chris@1464 108 above settings. Redmine.pm normally does access control depending on the HTTP
Chris@1464 109 method used: read-only methods are OK for everyone in public projects and
Chris@1464 110 members with read rights in private projects. The rest require membership with
Chris@1464 111 commit rights in the project.
Chris@1464 112
Chris@1464 113 However, this scheme doesn't work for Git's smart HTTP protocol, as it will use
Chris@1464 114 POST even for a simple clone. Instead, read-only requests must be detected using
Chris@1464 115 the full URL (including the query string): anything that doesn't belong to the
Chris@1464 116 git-receive-pack service is read-only.
Chris@1464 117
Chris@1464 118 To activate this mode of operation, add this line inside your <Location /git>
Chris@1464 119 block:
Chris@1464 120
Chris@1464 121 RedmineGitSmartHttp yes
Chris@1464 122
Chris@1464 123 Here's a sample Apache configuration which integrates git-http-backend with
Chris@1464 124 a MySQL database and this new option:
Chris@1464 125
Chris@1464 126 SetEnv GIT_PROJECT_ROOT /var/www/git/
Chris@1464 127 SetEnv GIT_HTTP_EXPORT_ALL
Chris@1464 128 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
Chris@1464 129 <Location /git>
Chris@1464 130 Order allow,deny
Chris@1464 131 Allow from all
Chris@1464 132
Chris@1464 133 AuthType Basic
Chris@1464 134 AuthName Git
Chris@1464 135 Require valid-user
Chris@1464 136
Chris@1464 137 PerlAccessHandler Apache::Authn::Redmine::access_handler
Chris@1464 138 PerlAuthenHandler Apache::Authn::Redmine::authen_handler
Chris@1464 139 # for mysql
Chris@1464 140 RedmineDSN "DBI:mysql:database=redmine;host=127.0.0.1"
Chris@1464 141 RedmineDbUser "redmine"
Chris@1464 142 RedmineDbPass "xxx"
Chris@1464 143 RedmineGitSmartHttp yes
Chris@1464 144 </Location>
Chris@1464 145
Chris@1464 146 Make sure that all the names of the repositories under /var/www/git/ have a
Chris@1464 147 matching identifier for some project: /var/www/git/myproject and
Chris@1464 148 /var/www/git/myproject.git will work. You can put both bare and non-bare
Chris@1464 149 repositories in /var/www/git, though bare repositories are strongly
Chris@1464 150 recommended. You should create them with the rights of the user running Redmine,
Chris@1464 151 like this:
Chris@1464 152
Chris@1464 153 cd /var/www/git
Chris@1464 154 sudo -u user-running-redmine mkdir myproject
Chris@1464 155 cd myproject
Chris@1464 156 sudo -u user-running-redmine git init --bare
Chris@1464 157
Chris@1464 158 Once you have activated this option, you have three options when cloning a
Chris@1464 159 repository:
Chris@1464 160
Chris@1464 161 - Cloning using "http://user@host/git/repo(.git)" works, but will ask for the password
Chris@1464 162 all the time.
Chris@1464 163
Chris@1464 164 - Cloning with "http://user:pass@host/git/repo(.git)" does not have this problem, but
Chris@1464 165 this could reveal accidentally your password to the console in some versions
Chris@1464 166 of Git, and you would have to ensure that .git/config is not readable except
Chris@1464 167 by the owner for each of your projects.
Chris@1464 168
Chris@1464 169 - Use "http://host/git/repo(.git)", and store your credentials in the ~/.netrc
Chris@1464 170 file. This is the recommended solution, as you only have one file to protect
Chris@1464 171 and passwords will not be leaked accidentally to the console.
Chris@1464 172
Chris@1464 173 IMPORTANT NOTE: It is *very important* that the file cannot be read by other
Chris@1464 174 users, as it will contain your password in cleartext. To create the file, you
Chris@1464 175 can use the following commands, replacing yourhost, youruser and yourpassword
Chris@1464 176 with the right values:
Chris@1464 177
Chris@1464 178 touch ~/.netrc
Chris@1464 179 chmod 600 ~/.netrc
Chris@1464 180 echo -e "machine yourhost\nlogin youruser\npassword yourpassword" > ~/.netrc
Chris@1464 181
Chris@1464 182 =cut
Chris@1464 183
Chris@1464 184 use strict;
Chris@1464 185 use warnings FATAL => 'all', NONFATAL => 'redefine';
Chris@1464 186
Chris@1464 187 use DBI;
Chris@1464 188 use Digest::SHA;
Chris@1464 189 # optional module for LDAP authentication
Chris@1464 190 my $CanUseLDAPAuth = eval("use Authen::Simple::LDAP; 1");
Chris@1464 191
Chris@1464 192 use Apache2::Module;
Chris@1464 193 use Apache2::Access;
Chris@1464 194 use Apache2::ServerRec qw();
Chris@1464 195 use Apache2::RequestRec qw();
Chris@1464 196 use Apache2::RequestUtil qw();
Chris@1464 197 use Apache2::Const qw(:common :override :cmd_how);
Chris@1464 198 use APR::Pool ();
Chris@1464 199 use APR::Table ();
Chris@1464 200
Chris@1464 201 # use Apache2::Directive qw();
Chris@1464 202
Chris@1464 203 my @directives = (
Chris@1464 204 {
Chris@1464 205 name => 'RedmineDSN',
Chris@1464 206 req_override => OR_AUTHCFG,
Chris@1464 207 args_how => TAKE1,
Chris@1464 208 errmsg => 'Dsn in format used by Perl DBI. eg: "DBI:Pg:dbname=databasename;host=my.db.server"',
Chris@1464 209 },
Chris@1464 210 {
Chris@1464 211 name => 'RedmineDbUser',
Chris@1464 212 req_override => OR_AUTHCFG,
Chris@1464 213 args_how => TAKE1,
Chris@1464 214 },
Chris@1464 215 {
Chris@1464 216 name => 'RedmineDbPass',
Chris@1464 217 req_override => OR_AUTHCFG,
Chris@1464 218 args_how => TAKE1,
Chris@1464 219 },
Chris@1464 220 {
Chris@1464 221 name => 'RedmineDbWhereClause',
Chris@1464 222 req_override => OR_AUTHCFG,
Chris@1464 223 args_how => TAKE1,
Chris@1464 224 },
Chris@1464 225 {
Chris@1464 226 name => 'RedmineCacheCredsMax',
Chris@1464 227 req_override => OR_AUTHCFG,
Chris@1464 228 args_how => TAKE1,
Chris@1464 229 errmsg => 'RedmineCacheCredsMax must be decimal number',
Chris@1464 230 },
Chris@1464 231 {
Chris@1464 232 name => 'RedmineGitSmartHttp',
Chris@1464 233 req_override => OR_AUTHCFG,
Chris@1464 234 args_how => TAKE1,
Chris@1464 235 },
Chris@1464 236 );
Chris@1464 237
Chris@1464 238 sub RedmineDSN {
Chris@1464 239 my ($self, $parms, $arg) = @_;
Chris@1464 240 $self->{RedmineDSN} = $arg;
Chris@1464 241 my $query = "SELECT
Chris@1464 242 users.hashed_password, users.salt, users.auth_source_id, roles.permissions, projects.status
Chris@1464 243 FROM projects, users, roles
Chris@1464 244 WHERE
Chris@1464 245 users.login=?
Chris@1464 246 AND projects.identifier=?
Chris@1464 247 AND users.status=1
Chris@1464 248 AND (
Chris@1464 249 roles.id IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = users.id AND members.project_id = projects.id AND members.id = member_roles.member_id)
Chris@1464 250 OR
Chris@1464 251 (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1'))
Chris@1464 252 )
Chris@1464 253 AND roles.permissions IS NOT NULL";
Chris@1464 254 $self->{RedmineQuery} = trim($query);
Chris@1464 255 }
Chris@1464 256
Chris@1464 257 sub RedmineDbUser { set_val('RedmineDbUser', @_); }
Chris@1464 258 sub RedmineDbPass { set_val('RedmineDbPass', @_); }
Chris@1464 259 sub RedmineDbWhereClause {
Chris@1464 260 my ($self, $parms, $arg) = @_;
Chris@1464 261 $self->{RedmineQuery} = trim($self->{RedmineQuery}.($arg ? $arg : "")." ");
Chris@1464 262 }
Chris@1464 263
Chris@1464 264 sub RedmineCacheCredsMax {
Chris@1464 265 my ($self, $parms, $arg) = @_;
Chris@1464 266 if ($arg) {
Chris@1464 267 $self->{RedmineCachePool} = APR::Pool->new;
Chris@1464 268 $self->{RedmineCacheCreds} = APR::Table::make($self->{RedmineCachePool}, $arg);
Chris@1464 269 $self->{RedmineCacheCredsCount} = 0;
Chris@1464 270 $self->{RedmineCacheCredsMax} = $arg;
Chris@1464 271 }
Chris@1464 272 }
Chris@1464 273
Chris@1464 274 sub RedmineGitSmartHttp {
Chris@1464 275 my ($self, $parms, $arg) = @_;
Chris@1464 276 $arg = lc $arg;
Chris@1464 277
Chris@1464 278 if ($arg eq "yes" || $arg eq "true") {
Chris@1464 279 $self->{RedmineGitSmartHttp} = 1;
Chris@1464 280 } else {
Chris@1464 281 $self->{RedmineGitSmartHttp} = 0;
Chris@1464 282 }
Chris@1464 283 }
Chris@1464 284
Chris@1464 285 sub trim {
Chris@1464 286 my $string = shift;
Chris@1464 287 $string =~ s/\s{2,}/ /g;
Chris@1464 288 return $string;
Chris@1464 289 }
Chris@1464 290
Chris@1464 291 sub set_val {
Chris@1464 292 my ($key, $self, $parms, $arg) = @_;
Chris@1464 293 $self->{$key} = $arg;
Chris@1464 294 }
Chris@1464 295
Chris@1464 296 Apache2::Module::add(__PACKAGE__, \@directives);
Chris@1464 297
Chris@1464 298
Chris@1464 299 my %read_only_methods = map { $_ => 1 } qw/GET HEAD PROPFIND REPORT OPTIONS/;
Chris@1464 300
Chris@1464 301 sub request_is_read_only {
Chris@1464 302 my ($r) = @_;
Chris@1464 303 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1464 304
Chris@1464 305 # Do we use Git's smart HTTP protocol, or not?
Chris@1464 306 if (defined $cfg->{RedmineGitSmartHttp} and $cfg->{RedmineGitSmartHttp}) {
Chris@1464 307 my $uri = $r->unparsed_uri;
Chris@1464 308 my $location = $r->location;
Chris@1464 309 my $is_read_only = $uri !~ m{^$location/*[^/]+/+(info/refs\?service=)?git\-receive\-pack$}o;
Chris@1464 310 return $is_read_only;
Chris@1464 311 } else {
Chris@1464 312 # Standard behaviour: check the HTTP method
Chris@1464 313 my $method = $r->method;
Chris@1464 314 return defined $read_only_methods{$method};
Chris@1464 315 }
Chris@1464 316 }
Chris@1464 317
Chris@1464 318 sub access_handler {
Chris@1464 319 my $r = shift;
Chris@1464 320
Chris@1464 321 unless ($r->some_auth_required) {
Chris@1464 322 $r->log_reason("No authentication has been configured");
Chris@1464 323 return FORBIDDEN;
Chris@1464 324 }
Chris@1464 325
Chris@1464 326 return OK unless request_is_read_only($r);
Chris@1464 327
Chris@1464 328 my $project_id = get_project_identifier($r);
Chris@1464 329
Chris@1464 330 $r->set_handlers(PerlAuthenHandler => [\&OK])
Chris@1464 331 if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
Chris@1464 332
Chris@1464 333 return OK
Chris@1464 334 }
Chris@1464 335
Chris@1464 336 sub authen_handler {
Chris@1464 337 my $r = shift;
Chris@1464 338
Chris@1464 339 my ($res, $redmine_pass) = $r->get_basic_auth_pw();
Chris@1464 340 return $res unless $res == OK;
Chris@1464 341
Chris@1464 342 if (is_member($r->user, $redmine_pass, $r)) {
Chris@1464 343 return OK;
Chris@1464 344 } else {
Chris@1464 345 $r->note_auth_failure();
Chris@1464 346 return DECLINED;
Chris@1464 347 }
Chris@1464 348 }
Chris@1464 349
Chris@1464 350 # check if authentication is forced
Chris@1464 351 sub is_authentication_forced {
Chris@1464 352 my $r = shift;
Chris@1464 353
Chris@1464 354 my $dbh = connect_database($r);
Chris@1464 355 my $sth = $dbh->prepare(
Chris@1464 356 "SELECT value FROM settings where settings.name = 'login_required';"
Chris@1464 357 );
Chris@1464 358
Chris@1464 359 $sth->execute();
Chris@1464 360 my $ret = 0;
Chris@1464 361 if (my @row = $sth->fetchrow_array) {
Chris@1464 362 if ($row[0] eq "1" || $row[0] eq "t") {
Chris@1464 363 $ret = 1;
Chris@1464 364 }
Chris@1464 365 }
Chris@1464 366 $sth->finish();
Chris@1464 367 undef $sth;
Chris@1464 368
Chris@1464 369 $dbh->disconnect();
Chris@1464 370 undef $dbh;
Chris@1464 371
Chris@1464 372 $ret;
Chris@1464 373 }
Chris@1464 374
Chris@1464 375 sub is_public_project {
Chris@1464 376 my $project_id = shift;
Chris@1464 377 my $r = shift;
Chris@1464 378
Chris@1464 379 if (is_authentication_forced($r)) {
Chris@1464 380 return 0;
Chris@1464 381 }
Chris@1464 382
Chris@1464 383 my $dbh = connect_database($r);
Chris@1464 384 my $sth = $dbh->prepare(
Chris@1464 385 "SELECT is_public FROM projects WHERE projects.identifier = ? AND projects.status <> 9;"
Chris@1464 386 );
Chris@1464 387
Chris@1464 388 $sth->execute($project_id);
Chris@1464 389 my $ret = 0;
Chris@1464 390 if (my @row = $sth->fetchrow_array) {
Chris@1464 391 if ($row[0] eq "1" || $row[0] eq "t") {
Chris@1464 392 $ret = 1;
Chris@1464 393 }
Chris@1464 394 }
Chris@1464 395 $sth->finish();
Chris@1464 396 undef $sth;
Chris@1464 397 $dbh->disconnect();
Chris@1464 398 undef $dbh;
Chris@1464 399
Chris@1464 400 $ret;
Chris@1464 401 }
Chris@1464 402
Chris@1464 403 sub anonymous_role_allows_browse_repository {
Chris@1464 404 my $r = shift;
Chris@1464 405
Chris@1464 406 my $dbh = connect_database($r);
Chris@1464 407 my $sth = $dbh->prepare(
Chris@1464 408 "SELECT permissions FROM roles WHERE builtin = 2;"
Chris@1464 409 );
Chris@1464 410
Chris@1464 411 $sth->execute();
Chris@1464 412 my $ret = 0;
Chris@1464 413 if (my @row = $sth->fetchrow_array) {
Chris@1464 414 if ($row[0] =~ /:browse_repository/) {
Chris@1464 415 $ret = 1;
Chris@1464 416 }
Chris@1464 417 }
Chris@1464 418 $sth->finish();
Chris@1464 419 undef $sth;
Chris@1464 420 $dbh->disconnect();
Chris@1464 421 undef $dbh;
Chris@1464 422
Chris@1464 423 $ret;
Chris@1464 424 }
Chris@1464 425
Chris@1464 426 # perhaps we should use repository right (other read right) to check public access.
Chris@1464 427 # it could be faster BUT it doesn't work for the moment.
Chris@1464 428 # sub is_public_project_by_file {
Chris@1464 429 # my $project_id = shift;
Chris@1464 430 # my $r = shift;
Chris@1464 431
Chris@1464 432 # my $tree = Apache2::Directive::conftree();
Chris@1464 433 # my $node = $tree->lookup('Location', $r->location);
Chris@1464 434 # my $hash = $node->as_hash;
Chris@1464 435
Chris@1464 436 # my $svnparentpath = $hash->{SVNParentPath};
Chris@1464 437 # my $repos_path = $svnparentpath . "/" . $project_id;
Chris@1464 438 # return 1 if (stat($repos_path))[2] & 00007;
Chris@1464 439 # }
Chris@1464 440
Chris@1464 441 sub is_member {
Chris@1464 442 my $redmine_user = shift;
Chris@1464 443 my $redmine_pass = shift;
Chris@1464 444 my $r = shift;
Chris@1464 445
Chris@1464 446 my $dbh = connect_database($r);
Chris@1464 447 my $project_id = get_project_identifier($r);
Chris@1464 448
Chris@1464 449 my $pass_digest = Digest::SHA::sha1_hex($redmine_pass);
Chris@1464 450
Chris@1464 451 my $access_mode = request_is_read_only($r) ? "R" : "W";
Chris@1464 452
Chris@1464 453 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1464 454 my $usrprojpass;
Chris@1464 455 if ($cfg->{RedmineCacheCredsMax}) {
Chris@1464 456 $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode);
Chris@1464 457 return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
Chris@1464 458 }
Chris@1464 459 my $query = $cfg->{RedmineQuery};
Chris@1464 460 my $sth = $dbh->prepare($query);
Chris@1464 461 $sth->execute($redmine_user, $project_id);
Chris@1464 462
Chris@1464 463 my $ret;
Chris@1464 464 while (my ($hashed_password, $salt, $auth_source_id, $permissions, $project_status) = $sth->fetchrow_array) {
Chris@1464 465 if ($project_status eq "9" || ($project_status ne "1" && $access_mode eq "W")) {
Chris@1464 466 last;
Chris@1464 467 }
Chris@1464 468
Chris@1464 469 unless ($auth_source_id) {
Chris@1464 470 my $method = $r->method;
Chris@1464 471 my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest);
Chris@1464 472 if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
Chris@1464 473 $ret = 1;
Chris@1464 474 last;
Chris@1464 475 }
Chris@1464 476 } elsif ($CanUseLDAPAuth) {
Chris@1464 477 my $sthldap = $dbh->prepare(
Chris@1464 478 "SELECT host,port,tls,account,account_password,base_dn,attr_login from auth_sources WHERE id = ?;"
Chris@1464 479 );
Chris@1464 480 $sthldap->execute($auth_source_id);
Chris@1464 481 while (my @rowldap = $sthldap->fetchrow_array) {
Chris@1464 482 my $bind_as = $rowldap[3] ? $rowldap[3] : "";
Chris@1464 483 my $bind_pw = $rowldap[4] ? $rowldap[4] : "";
Chris@1464 484 if ($bind_as =~ m/\$login/) {
Chris@1464 485 # replace $login with $redmine_user and use $redmine_pass
Chris@1464 486 $bind_as =~ s/\$login/$redmine_user/g;
Chris@1464 487 $bind_pw = $redmine_pass
Chris@1464 488 }
Chris@1464 489 my $ldap = Authen::Simple::LDAP->new(
Chris@1464 490 host => ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]:$rowldap[1]" : $rowldap[0],
Chris@1464 491 port => $rowldap[1],
Chris@1464 492 basedn => $rowldap[5],
Chris@1464 493 binddn => $bind_as,
Chris@1464 494 bindpw => $bind_pw,
Chris@1464 495 filter => "(".$rowldap[6]."=%s)"
Chris@1464 496 );
Chris@1464 497 my $method = $r->method;
Chris@1464 498 $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
Chris@1464 499
Chris@1464 500 }
Chris@1464 501 $sthldap->finish();
Chris@1464 502 undef $sthldap;
Chris@1464 503 }
Chris@1464 504 }
Chris@1464 505 $sth->finish();
Chris@1464 506 undef $sth;
Chris@1464 507 $dbh->disconnect();
Chris@1464 508 undef $dbh;
Chris@1464 509
Chris@1464 510 if ($cfg->{RedmineCacheCredsMax} and $ret) {
Chris@1464 511 if (defined $usrprojpass) {
Chris@1464 512 $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
Chris@1464 513 } else {
Chris@1464 514 if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) {
Chris@1464 515 $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
Chris@1464 516 $cfg->{RedmineCacheCredsCount}++;
Chris@1464 517 } else {
Chris@1464 518 $cfg->{RedmineCacheCreds}->clear();
Chris@1464 519 $cfg->{RedmineCacheCredsCount} = 0;
Chris@1464 520 }
Chris@1464 521 }
Chris@1464 522 }
Chris@1464 523
Chris@1464 524 $ret;
Chris@1464 525 }
Chris@1464 526
Chris@1464 527 sub get_project_identifier {
Chris@1464 528 my $r = shift;
Chris@1464 529
Chris@1464 530 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1464 531 my $location = $r->location;
Chris@1464 532 $location =~ s/\.git$// if (defined $cfg->{RedmineGitSmartHttp} and $cfg->{RedmineGitSmartHttp});
Chris@1464 533 my ($identifier) = $r->uri =~ m{$location/*([^/.]+)};
Chris@1464 534 $identifier;
Chris@1464 535 }
Chris@1464 536
Chris@1464 537 sub connect_database {
Chris@1464 538 my $r = shift;
Chris@1464 539
Chris@1464 540 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1464 541 return DBI->connect($cfg->{RedmineDSN}, $cfg->{RedmineDbUser}, $cfg->{RedmineDbPass});
Chris@1464 542 }
Chris@1464 543
Chris@1464 544 1;