Mercurial > hg > soundsoftware-site

annotate .svn/pristine/58/58919c55a2dd0b48c7152f7b1adf06799d9cbcd6.svn-base @ 1298:4f746d8966dd redmine_2.3_integration

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge from redmine-2.3 branch to create new branch redmine-2.3-integration
author Chris Cannam
date Fri, 14 Jun 2013 09:28:30 +0100
parents 622f24f53b42
children
rev   line source
Chris@1295 1 package Apache::Authn::Redmine;
Chris@1295 2
Chris@1295 3 =head1 Apache::Authn::Redmine
Chris@1295 4
Chris@1295 5 Redmine - a mod_perl module to authenticate webdav subversion users
Chris@1295 6 against redmine database
Chris@1295 7
Chris@1295 8 =head1 SYNOPSIS
Chris@1295 9
Chris@1295 10 This module allow anonymous users to browse public project and
Chris@1295 11 registred users to browse and commit their project. Authentication is
Chris@1295 12 done against the redmine database or the LDAP configured in redmine.
Chris@1295 13
Chris@1295 14 This method is far simpler than the one with pam_* and works with all
Chris@1295 15 database without an hassle but you need to have apache/mod_perl on the
Chris@1295 16 svn server.
Chris@1295 17
Chris@1295 18 =head1 INSTALLATION
Chris@1295 19
Chris@1295 20 For this to automagically work, you need to have a recent reposman.rb
Chris@1295 21 (after r860) and if you already use reposman, read the last section to
Chris@1295 22 migrate.
Chris@1295 23
Chris@1295 24 Sorry ruby users but you need some perl modules, at least mod_perl2,
Chris@1295 25 DBI and DBD::mysql (or the DBD driver for you database as it should
Chris@1295 26 work on allmost all databases).
Chris@1295 27
Chris@1295 28 On debian/ubuntu you must do :
Chris@1295 29
Chris@1295 30 aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl
Chris@1295 31
Chris@1295 32 If your Redmine users use LDAP authentication, you will also need
Chris@1295 33 Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):
Chris@1295 34
Chris@1295 35 aptitude install libauthen-simple-ldap-perl libio-socket-ssl-perl
Chris@1295 36
Chris@1295 37 =head1 CONFIGURATION
Chris@1295 38
Chris@1295 39 ## This module has to be in your perl path
Chris@1295 40 ## eg: /usr/lib/perl5/Apache/Authn/Redmine.pm
Chris@1295 41 PerlLoadModule Apache::Authn::Redmine
Chris@1295 42 <Location /svn>
Chris@1295 43 DAV svn
Chris@1295 44 SVNParentPath "/var/svn"
Chris@1295 45
Chris@1295 46 AuthType Basic
Chris@1295 47 AuthName redmine
Chris@1295 48 Require valid-user
Chris@1295 49
Chris@1295 50 PerlAccessHandler Apache::Authn::Redmine::access_handler
Chris@1295 51 PerlAuthenHandler Apache::Authn::Redmine::authen_handler
Chris@1295 52
Chris@1295 53 ## for mysql
Chris@1295 54 RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
Chris@1295 55 ## for postgres
Chris@1295 56 # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
Chris@1295 57
Chris@1295 58 RedmineDbUser "redmine"
Chris@1295 59 RedmineDbPass "password"
Chris@1295 60 ## Optional where clause (fulltext search would be slow and
Chris@1295 61 ## database dependant).
Chris@1295 62 # RedmineDbWhereClause "and members.role_id IN (1,2)"
Chris@1295 63 ## Optional credentials cache size
Chris@1295 64 # RedmineCacheCredsMax 50
Chris@1295 65 </Location>
Chris@1295 66
Chris@1295 67 To be able to browse repository inside redmine, you must add something
Chris@1295 68 like that :
Chris@1295 69
Chris@1295 70 <Location /svn-private>
Chris@1295 71 DAV svn
Chris@1295 72 SVNParentPath "/var/svn"
Chris@1295 73 Order deny,allow
Chris@1295 74 Deny from all
Chris@1295 75 # only allow reading orders
Chris@1295 76 <Limit GET PROPFIND OPTIONS REPORT>
Chris@1295 77 Allow from redmine.server.ip
Chris@1295 78 </Limit>
Chris@1295 79 </Location>
Chris@1295 80
Chris@1295 81 and you will have to use this reposman.rb command line to create repository :
Chris@1295 82
Chris@1295 83 reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/
Chris@1295 84
Chris@1295 85 =head1 REPOSITORIES NAMING
Chris@1295 86
Chris@1295 87 A projet repository must be named with the projet identifier. In case
Chris@1295 88 of multiple repositories for the same project, use the project identifier
Chris@1295 89 and the repository identifier separated with a dot:
Chris@1295 90
Chris@1295 91 /var/svn/foo
Chris@1295 92 /var/svn/foo.otherrepo
Chris@1295 93
Chris@1295 94 =head1 MIGRATION FROM OLDER RELEASES
Chris@1295 95
Chris@1295 96 If you use an older reposman.rb (r860 or before), you need to change
Chris@1295 97 rights on repositories to allow the apache user to read and write
Chris@1295 98 S<them :>
Chris@1295 99
Chris@1295 100 sudo chown -R www-data /var/svn/*
Chris@1295 101 sudo chmod -R u+w /var/svn/*
Chris@1295 102
Chris@1295 103 And you need to upgrade at least reposman.rb (after r860).
Chris@1295 104
Chris@1295 105 =head1 GIT SMART HTTP SUPPORT
Chris@1295 106
Chris@1295 107 Git's smart HTTP protocol (available since Git 1.7.0) will not work with the
Chris@1295 108 above settings. Redmine.pm normally does access control depending on the HTTP
Chris@1295 109 method used: read-only methods are OK for everyone in public projects and
Chris@1295 110 members with read rights in private projects. The rest require membership with
Chris@1295 111 commit rights in the project.
Chris@1295 112
Chris@1295 113 However, this scheme doesn't work for Git's smart HTTP protocol, as it will use
Chris@1295 114 POST even for a simple clone. Instead, read-only requests must be detected using
Chris@1295 115 the full URL (including the query string): anything that doesn't belong to the
Chris@1295 116 git-receive-pack service is read-only.
Chris@1295 117
Chris@1295 118 To activate this mode of operation, add this line inside your <Location /git>
Chris@1295 119 block:
Chris@1295 120
Chris@1295 121 RedmineGitSmartHttp yes
Chris@1295 122
Chris@1295 123 Here's a sample Apache configuration which integrates git-http-backend with
Chris@1295 124 a MySQL database and this new option:
Chris@1295 125
Chris@1295 126 SetEnv GIT_PROJECT_ROOT /var/www/git/
Chris@1295 127 SetEnv GIT_HTTP_EXPORT_ALL
Chris@1295 128 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
Chris@1295 129 <Location /git>
Chris@1295 130 Order allow,deny
Chris@1295 131 Allow from all
Chris@1295 132
Chris@1295 133 AuthType Basic
Chris@1295 134 AuthName Git
Chris@1295 135 Require valid-user
Chris@1295 136
Chris@1295 137 PerlAccessHandler Apache::Authn::Redmine::access_handler
Chris@1295 138 PerlAuthenHandler Apache::Authn::Redmine::authen_handler
Chris@1295 139 # for mysql
Chris@1295 140 RedmineDSN "DBI:mysql:database=redmine;host=127.0.0.1"
Chris@1295 141 RedmineDbUser "redmine"
Chris@1295 142 RedmineDbPass "xxx"
Chris@1295 143 RedmineGitSmartHttp yes
Chris@1295 144 </Location>
Chris@1295 145
Chris@1295 146 Make sure that all the names of the repositories under /var/www/git/ have a
Chris@1295 147 matching identifier for some project: /var/www/git/myproject and
Chris@1295 148 /var/www/git/myproject.git will work. You can put both bare and non-bare
Chris@1295 149 repositories in /var/www/git, though bare repositories are strongly
Chris@1295 150 recommended. You should create them with the rights of the user running Redmine,
Chris@1295 151 like this:
Chris@1295 152
Chris@1295 153 cd /var/www/git
Chris@1295 154 sudo -u user-running-redmine mkdir myproject
Chris@1295 155 cd myproject
Chris@1295 156 sudo -u user-running-redmine git init --bare
Chris@1295 157
Chris@1295 158 Once you have activated this option, you have three options when cloning a
Chris@1295 159 repository:
Chris@1295 160
Chris@1295 161 - Cloning using "http://user@host/git/repo(.git)" works, but will ask for the password
Chris@1295 162 all the time.
Chris@1295 163
Chris@1295 164 - Cloning with "http://user:pass@host/git/repo(.git)" does not have this problem, but
Chris@1295 165 this could reveal accidentally your password to the console in some versions
Chris@1295 166 of Git, and you would have to ensure that .git/config is not readable except
Chris@1295 167 by the owner for each of your projects.
Chris@1295 168
Chris@1295 169 - Use "http://host/git/repo(.git)", and store your credentials in the ~/.netrc
Chris@1295 170 file. This is the recommended solution, as you only have one file to protect
Chris@1295 171 and passwords will not be leaked accidentally to the console.
Chris@1295 172
Chris@1295 173 IMPORTANT NOTE: It is *very important* that the file cannot be read by other
Chris@1295 174 users, as it will contain your password in cleartext. To create the file, you
Chris@1295 175 can use the following commands, replacing yourhost, youruser and yourpassword
Chris@1295 176 with the right values:
Chris@1295 177
Chris@1295 178 touch ~/.netrc
Chris@1295 179 chmod 600 ~/.netrc
Chris@1295 180 echo -e "machine yourhost\nlogin youruser\npassword yourpassword" > ~/.netrc
Chris@1295 181
Chris@1295 182 =cut
Chris@1295 183
Chris@1295 184 use strict;
Chris@1295 185 use warnings FATAL => 'all', NONFATAL => 'redefine';
Chris@1295 186
Chris@1295 187 use DBI;
Chris@1295 188 use Digest::SHA;
Chris@1295 189 # optional module for LDAP authentication
Chris@1295 190 my $CanUseLDAPAuth = eval("use Authen::Simple::LDAP; 1");
Chris@1295 191
Chris@1295 192 use Apache2::Module;
Chris@1295 193 use Apache2::Access;
Chris@1295 194 use Apache2::ServerRec qw();
Chris@1295 195 use Apache2::RequestRec qw();
Chris@1295 196 use Apache2::RequestUtil qw();
Chris@1295 197 use Apache2::Const qw(:common :override :cmd_how);
Chris@1295 198 use APR::Pool ();
Chris@1295 199 use APR::Table ();
Chris@1295 200
Chris@1295 201 # use Apache2::Directive qw();
Chris@1295 202
Chris@1295 203 my @directives = (
Chris@1295 204 {
Chris@1295 205 name => 'RedmineDSN',
Chris@1295 206 req_override => OR_AUTHCFG,
Chris@1295 207 args_how => TAKE1,
Chris@1295 208 errmsg => 'Dsn in format used by Perl DBI. eg: "DBI:Pg:dbname=databasename;host=my.db.server"',
Chris@1295 209 },
Chris@1295 210 {
Chris@1295 211 name => 'RedmineDbUser',
Chris@1295 212 req_override => OR_AUTHCFG,
Chris@1295 213 args_how => TAKE1,
Chris@1295 214 },
Chris@1295 215 {
Chris@1295 216 name => 'RedmineDbPass',
Chris@1295 217 req_override => OR_AUTHCFG,
Chris@1295 218 args_how => TAKE1,
Chris@1295 219 },
Chris@1295 220 {
Chris@1295 221 name => 'RedmineDbWhereClause',
Chris@1295 222 req_override => OR_AUTHCFG,
Chris@1295 223 args_how => TAKE1,
Chris@1295 224 },
Chris@1295 225 {
Chris@1295 226 name => 'RedmineCacheCredsMax',
Chris@1295 227 req_override => OR_AUTHCFG,
Chris@1295 228 args_how => TAKE1,
Chris@1295 229 errmsg => 'RedmineCacheCredsMax must be decimal number',
Chris@1295 230 },
Chris@1295 231 {
Chris@1295 232 name => 'RedmineGitSmartHttp',
Chris@1295 233 req_override => OR_AUTHCFG,
Chris@1295 234 args_how => TAKE1,
Chris@1295 235 },
Chris@1295 236 );
Chris@1295 237
Chris@1295 238 sub RedmineDSN {
Chris@1295 239 my ($self, $parms, $arg) = @_;
Chris@1295 240 $self->{RedmineDSN} = $arg;
Chris@1295 241 my $query = "SELECT
Chris@1295 242 users.hashed_password, users.salt, users.auth_source_id, roles.permissions, projects.status
Chris@1295 243 FROM projects, users, roles
Chris@1295 244 WHERE
Chris@1295 245 users.login=?
Chris@1295 246 AND projects.identifier=?
Chris@1295 247 AND users.status=1
Chris@1295 248 AND (
Chris@1295 249 roles.id IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = users.id AND members.project_id = projects.id AND members.id = member_roles.member_id)
Chris@1295 250 OR
Chris@1295 251 (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1'))
Chris@1295 252 )
Chris@1295 253 AND roles.permissions IS NOT NULL";
Chris@1295 254 $self->{RedmineQuery} = trim($query);
Chris@1295 255 }
Chris@1295 256
Chris@1295 257 sub RedmineDbUser { set_val('RedmineDbUser', @_); }
Chris@1295 258 sub RedmineDbPass { set_val('RedmineDbPass', @_); }
Chris@1295 259 sub RedmineDbWhereClause {
Chris@1295 260 my ($self, $parms, $arg) = @_;
Chris@1295 261 $self->{RedmineQuery} = trim($self->{RedmineQuery}.($arg ? $arg : "")." ");
Chris@1295 262 }
Chris@1295 263
Chris@1295 264 sub RedmineCacheCredsMax {
Chris@1295 265 my ($self, $parms, $arg) = @_;
Chris@1295 266 if ($arg) {
Chris@1295 267 $self->{RedmineCachePool} = APR::Pool->new;
Chris@1295 268 $self->{RedmineCacheCreds} = APR::Table::make($self->{RedmineCachePool}, $arg);
Chris@1295 269 $self->{RedmineCacheCredsCount} = 0;
Chris@1295 270 $self->{RedmineCacheCredsMax} = $arg;
Chris@1295 271 }
Chris@1295 272 }
Chris@1295 273
Chris@1295 274 sub RedmineGitSmartHttp {
Chris@1295 275 my ($self, $parms, $arg) = @_;
Chris@1295 276 $arg = lc $arg;
Chris@1295 277
Chris@1295 278 if ($arg eq "yes" || $arg eq "true") {
Chris@1295 279 $self->{RedmineGitSmartHttp} = 1;
Chris@1295 280 } else {
Chris@1295 281 $self->{RedmineGitSmartHttp} = 0;
Chris@1295 282 }
Chris@1295 283 }
Chris@1295 284
Chris@1295 285 sub trim {
Chris@1295 286 my $string = shift;
Chris@1295 287 $string =~ s/\s{2,}/ /g;
Chris@1295 288 return $string;
Chris@1295 289 }
Chris@1295 290
Chris@1295 291 sub set_val {
Chris@1295 292 my ($key, $self, $parms, $arg) = @_;
Chris@1295 293 $self->{$key} = $arg;
Chris@1295 294 }
Chris@1295 295
Chris@1295 296 Apache2::Module::add(__PACKAGE__, \@directives);
Chris@1295 297
Chris@1295 298
Chris@1295 299 my %read_only_methods = map { $_ => 1 } qw/GET HEAD PROPFIND REPORT OPTIONS/;
Chris@1295 300
Chris@1295 301 sub request_is_read_only {
Chris@1295 302 my ($r) = @_;
Chris@1295 303 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1295 304
Chris@1295 305 # Do we use Git's smart HTTP protocol, or not?
Chris@1295 306 if (defined $cfg->{RedmineGitSmartHttp} and $cfg->{RedmineGitSmartHttp}) {
Chris@1295 307 my $uri = $r->unparsed_uri;
Chris@1295 308 my $location = $r->location;
Chris@1295 309 my $is_read_only = $uri !~ m{^$location/*[^/]+/+(info/refs\?service=)?git\-receive\-pack$}o;
Chris@1295 310 return $is_read_only;
Chris@1295 311 } else {
Chris@1295 312 # Standard behaviour: check the HTTP method
Chris@1295 313 my $method = $r->method;
Chris@1295 314 return defined $read_only_methods{$method};
Chris@1295 315 }
Chris@1295 316 }
Chris@1295 317
Chris@1295 318 sub access_handler {
Chris@1295 319 my $r = shift;
Chris@1295 320
Chris@1295 321 unless ($r->some_auth_required) {
Chris@1295 322 $r->log_reason("No authentication has been configured");
Chris@1295 323 return FORBIDDEN;
Chris@1295 324 }
Chris@1295 325
Chris@1295 326 return OK unless request_is_read_only($r);
Chris@1295 327
Chris@1295 328 my $project_id = get_project_identifier($r);
Chris@1295 329
Chris@1295 330 $r->set_handlers(PerlAuthenHandler => [\&OK])
Chris@1295 331 if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
Chris@1295 332
Chris@1295 333 return OK
Chris@1295 334 }
Chris@1295 335
Chris@1295 336 sub authen_handler {
Chris@1295 337 my $r = shift;
Chris@1295 338
Chris@1295 339 my ($res, $redmine_pass) = $r->get_basic_auth_pw();
Chris@1295 340 return $res unless $res == OK;
Chris@1295 341
Chris@1295 342 if (is_member($r->user, $redmine_pass, $r)) {
Chris@1295 343 return OK;
Chris@1295 344 } else {
Chris@1295 345 $r->note_auth_failure();
Chris@1295 346 return DECLINED;
Chris@1295 347 }
Chris@1295 348 }
Chris@1295 349
Chris@1295 350 # check if authentication is forced
Chris@1295 351 sub is_authentication_forced {
Chris@1295 352 my $r = shift;
Chris@1295 353
Chris@1295 354 my $dbh = connect_database($r);
Chris@1295 355 my $sth = $dbh->prepare(
Chris@1295 356 "SELECT value FROM settings where settings.name = 'login_required';"
Chris@1295 357 );
Chris@1295 358
Chris@1295 359 $sth->execute();
Chris@1295 360 my $ret = 0;
Chris@1295 361 if (my @row = $sth->fetchrow_array) {
Chris@1295 362 if ($row[0] eq "1" || $row[0] eq "t") {
Chris@1295 363 $ret = 1;
Chris@1295 364 }
Chris@1295 365 }
Chris@1295 366 $sth->finish();
Chris@1295 367 undef $sth;
Chris@1295 368
Chris@1295 369 $dbh->disconnect();
Chris@1295 370 undef $dbh;
Chris@1295 371
Chris@1295 372 $ret;
Chris@1295 373 }
Chris@1295 374
Chris@1295 375 sub is_public_project {
Chris@1295 376 my $project_id = shift;
Chris@1295 377 my $r = shift;
Chris@1295 378
Chris@1295 379 if (is_authentication_forced($r)) {
Chris@1295 380 return 0;
Chris@1295 381 }
Chris@1295 382
Chris@1295 383 my $dbh = connect_database($r);
Chris@1295 384 my $sth = $dbh->prepare(
Chris@1295 385 "SELECT is_public FROM projects WHERE projects.identifier = ? AND projects.status <> 9;"
Chris@1295 386 );
Chris@1295 387
Chris@1295 388 $sth->execute($project_id);
Chris@1295 389 my $ret = 0;
Chris@1295 390 if (my @row = $sth->fetchrow_array) {
Chris@1295 391 if ($row[0] eq "1" || $row[0] eq "t") {
Chris@1295 392 $ret = 1;
Chris@1295 393 }
Chris@1295 394 }
Chris@1295 395 $sth->finish();
Chris@1295 396 undef $sth;
Chris@1295 397 $dbh->disconnect();
Chris@1295 398 undef $dbh;
Chris@1295 399
Chris@1295 400 $ret;
Chris@1295 401 }
Chris@1295 402
Chris@1295 403 sub anonymous_role_allows_browse_repository {
Chris@1295 404 my $r = shift;
Chris@1295 405
Chris@1295 406 my $dbh = connect_database($r);
Chris@1295 407 my $sth = $dbh->prepare(
Chris@1295 408 "SELECT permissions FROM roles WHERE builtin = 2;"
Chris@1295 409 );
Chris@1295 410
Chris@1295 411 $sth->execute();
Chris@1295 412 my $ret = 0;
Chris@1295 413 if (my @row = $sth->fetchrow_array) {
Chris@1295 414 if ($row[0] =~ /:browse_repository/) {
Chris@1295 415 $ret = 1;
Chris@1295 416 }
Chris@1295 417 }
Chris@1295 418 $sth->finish();
Chris@1295 419 undef $sth;
Chris@1295 420 $dbh->disconnect();
Chris@1295 421 undef $dbh;
Chris@1295 422
Chris@1295 423 $ret;
Chris@1295 424 }
Chris@1295 425
Chris@1295 426 # perhaps we should use repository right (other read right) to check public access.
Chris@1295 427 # it could be faster BUT it doesn't work for the moment.
Chris@1295 428 # sub is_public_project_by_file {
Chris@1295 429 # my $project_id = shift;
Chris@1295 430 # my $r = shift;
Chris@1295 431
Chris@1295 432 # my $tree = Apache2::Directive::conftree();
Chris@1295 433 # my $node = $tree->lookup('Location', $r->location);
Chris@1295 434 # my $hash = $node->as_hash;
Chris@1295 435
Chris@1295 436 # my $svnparentpath = $hash->{SVNParentPath};
Chris@1295 437 # my $repos_path = $svnparentpath . "/" . $project_id;
Chris@1295 438 # return 1 if (stat($repos_path))[2] & 00007;
Chris@1295 439 # }
Chris@1295 440
Chris@1295 441 sub is_member {
Chris@1295 442 my $redmine_user = shift;
Chris@1295 443 my $redmine_pass = shift;
Chris@1295 444 my $r = shift;
Chris@1295 445
Chris@1295 446 my $dbh = connect_database($r);
Chris@1295 447 my $project_id = get_project_identifier($r);
Chris@1295 448
Chris@1295 449 my $pass_digest = Digest::SHA::sha1_hex($redmine_pass);
Chris@1295 450
Chris@1295 451 my $access_mode = request_is_read_only($r) ? "R" : "W";
Chris@1295 452
Chris@1295 453 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1295 454 my $usrprojpass;
Chris@1295 455 if ($cfg->{RedmineCacheCredsMax}) {
Chris@1295 456 $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode);
Chris@1295 457 return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
Chris@1295 458 }
Chris@1295 459 my $query = $cfg->{RedmineQuery};
Chris@1295 460 my $sth = $dbh->prepare($query);
Chris@1295 461 $sth->execute($redmine_user, $project_id);
Chris@1295 462
Chris@1295 463 my $ret;
Chris@1295 464 while (my ($hashed_password, $salt, $auth_source_id, $permissions, $project_status) = $sth->fetchrow_array) {
Chris@1295 465 if ($project_status eq "9" || ($project_status ne "1" && $access_mode eq "W")) {
Chris@1295 466 last;
Chris@1295 467 }
Chris@1295 468
Chris@1295 469 unless ($auth_source_id) {
Chris@1295 470 my $method = $r->method;
Chris@1295 471 my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest);
Chris@1295 472 if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
Chris@1295 473 $ret = 1;
Chris@1295 474 last;
Chris@1295 475 }
Chris@1295 476 } elsif ($CanUseLDAPAuth) {
Chris@1295 477 my $sthldap = $dbh->prepare(
Chris@1295 478 "SELECT host,port,tls,account,account_password,base_dn,attr_login from auth_sources WHERE id = ?;"
Chris@1295 479 );
Chris@1295 480 $sthldap->execute($auth_source_id);
Chris@1295 481 while (my @rowldap = $sthldap->fetchrow_array) {
Chris@1295 482 my $bind_as = $rowldap[3] ? $rowldap[3] : "";
Chris@1295 483 my $bind_pw = $rowldap[4] ? $rowldap[4] : "";
Chris@1295 484 if ($bind_as =~ m/\$login/) {
Chris@1295 485 # replace $login with $redmine_user and use $redmine_pass
Chris@1295 486 $bind_as =~ s/\$login/$redmine_user/g;
Chris@1295 487 $bind_pw = $redmine_pass
Chris@1295 488 }
Chris@1295 489 my $ldap = Authen::Simple::LDAP->new(
Chris@1295 490 host => ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]:$rowldap[1]" : $rowldap[0],
Chris@1295 491 port => $rowldap[1],
Chris@1295 492 basedn => $rowldap[5],
Chris@1295 493 binddn => $bind_as,
Chris@1295 494 bindpw => $bind_pw,
Chris@1295 495 filter => "(".$rowldap[6]."=%s)"
Chris@1295 496 );
Chris@1295 497 my $method = $r->method;
Chris@1295 498 $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
Chris@1295 499
Chris@1295 500 }
Chris@1295 501 $sthldap->finish();
Chris@1295 502 undef $sthldap;
Chris@1295 503 }
Chris@1295 504 }
Chris@1295 505 $sth->finish();
Chris@1295 506 undef $sth;
Chris@1295 507 $dbh->disconnect();
Chris@1295 508 undef $dbh;
Chris@1295 509
Chris@1295 510 if ($cfg->{RedmineCacheCredsMax} and $ret) {
Chris@1295 511 if (defined $usrprojpass) {
Chris@1295 512 $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
Chris@1295 513 } else {
Chris@1295 514 if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) {
Chris@1295 515 $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
Chris@1295 516 $cfg->{RedmineCacheCredsCount}++;
Chris@1295 517 } else {
Chris@1295 518 $cfg->{RedmineCacheCreds}->clear();
Chris@1295 519 $cfg->{RedmineCacheCredsCount} = 0;
Chris@1295 520 }
Chris@1295 521 }
Chris@1295 522 }
Chris@1295 523
Chris@1295 524 $ret;
Chris@1295 525 }
Chris@1295 526
Chris@1295 527 sub get_project_identifier {
Chris@1295 528 my $r = shift;
Chris@1295 529
Chris@1295 530 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1295 531 my $location = $r->location;
Chris@1295 532 $location =~ s/\.git$// if (defined $cfg->{RedmineGitSmartHttp} and $cfg->{RedmineGitSmartHttp});
Chris@1295 533 my ($identifier) = $r->uri =~ m{$location/*([^/.]+)};
Chris@1295 534 $identifier;
Chris@1295 535 }
Chris@1295 536
Chris@1295 537 sub connect_database {
Chris@1295 538 my $r = shift;
Chris@1295 539
Chris@1295 540 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
Chris@1295 541 return DBI->connect($cfg->{RedmineDSN}, $cfg->{RedmineDbUser}, $cfg->{RedmineDbPass});
Chris@1295 542 }
Chris@1295 543
Chris@1295 544 1;