Compare commits
20 Commits
2.1-stable
...
swistak
| Author | SHA1 | Date | |
|---|---|---|---|
|
131b15fc7a | ||
|
|
f6b1583a1a | ||
|
|
5bea900443 | ||
|
|
81baddad00 | ||
|
|
f6b5632fec | ||
|
|
f7ede727fd | ||
|
|
b870417860 | ||
|
|
25a7838e0a | ||
|
|
7c3ddf2bc0 | ||
|
|
0f8df81b87 | ||
|
|
c5121d804d | ||
|
|
8bcbbebf65 | ||
|
|
2d2afab549 | ||
|
|
35f601e769 | ||
|
|
b84cffd62e | ||
|
|
2eba0b66d4 | ||
|
|
eb2d814344 | ||
|
|
d9385ce9a2 | ||
|
|
d3522c10e4 | ||
|
|
b9957264eb |
@@ -8,8 +8,8 @@ against redmine database
|
||||
=head1 SYNOPSIS
|
||||
|
||||
This module allow anonymous users to browse public project and
|
||||
registred users to browse and commit their project. authentication is
|
||||
done on the redmine database.
|
||||
registred users to browse and commit their project. Authentication is
|
||||
done against the redmine database or the LDAP configured in redmine.
|
||||
|
||||
This method is far simpler than the one with pam_* and works with all
|
||||
database without an hassle but you need to have apache/mod_perl on the
|
||||
@@ -29,12 +29,16 @@ On debian/ubuntu you must do :
|
||||
|
||||
aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl
|
||||
|
||||
If your Redmine users use LDAP authentication, you will also need
|
||||
Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):
|
||||
|
||||
aptitude install libauthen-simple-ldap-perl libio-socket-ssl-perl
|
||||
|
||||
=head1 CONFIGURATION
|
||||
|
||||
## if the module isn't in your perl path
|
||||
PerlRequire /usr/local/apache/Redmine.pm
|
||||
## else
|
||||
# PerlModule Apache::Authn::Redmine
|
||||
## This module has to be in your perl path
|
||||
## eg: /usr/lib/perl5/Apache/Authn/Redmine.pm
|
||||
PerlLoadModule Apache::Authn::Redmine
|
||||
<Location /svn>
|
||||
DAV svn
|
||||
SVNParentPath "/var/svn"
|
||||
@@ -47,12 +51,19 @@ On debian/ubuntu you must do :
|
||||
PerlAuthenHandler Apache::Authn::Redmine::authen_handler
|
||||
|
||||
## for mysql
|
||||
PerlSetVar dsn DBI:mysql:database=databasename;host=my.db.server
|
||||
RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
|
||||
## for postgres
|
||||
# PerlSetVar dsn DBI:Pg:dbname=databasename;host=my.db.server
|
||||
# RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
|
||||
|
||||
PerlSetVar db_user redmine
|
||||
PerlSetVar db_pass password
|
||||
RedmineDbUser "redmine"
|
||||
RedmineDbPass "password"
|
||||
## Optional where clause (fulltext search would be slow and
|
||||
## database dependant).
|
||||
# RedmineDbWhereClause "and members.role_id IN (1,2)"
|
||||
## Configuration for memcached
|
||||
# RedmineMemcacheServers "127.0.0.1:112211"
|
||||
# RedmineMemcacheExpirySec "60"
|
||||
# RedmineMemcacheNamespace "RedmineCreds:"
|
||||
</Location>
|
||||
|
||||
To be able to browse repository inside redmine, you must add something
|
||||
@@ -87,18 +98,119 @@ And you need to upgrade at least reposman.rb (after r860).
|
||||
=cut
|
||||
|
||||
use strict;
|
||||
use warnings FATAL => 'all', NONFATAL => 'redefine';
|
||||
|
||||
use DBI;
|
||||
use Digest::SHA1;
|
||||
# optional module for LDAP authentication
|
||||
my $CanUseLDAPAuth = eval("use Authen::Simple::LDAP; 1");
|
||||
my $CanUseMemcached = eval("use Cache::Memcached; 1");
|
||||
|
||||
use Apache2::Module;
|
||||
use Apache2::Access;
|
||||
use Apache2::ServerRec qw();
|
||||
use Apache2::RequestRec qw();
|
||||
use Apache2::RequestUtil qw();
|
||||
use Apache2::Const qw(:common);
|
||||
use Apache2::Const qw(:common :override :cmd_how);
|
||||
|
||||
# use Apache2::Directive qw();
|
||||
|
||||
my @directives = (
|
||||
{
|
||||
name => 'RedmineDSN',
|
||||
req_override => OR_AUTHCFG,
|
||||
args_how => TAKE1,
|
||||
errmsg => 'Dsn in format used by Perl DBI. eg: "DBI:Pg:dbname=databasename;host=my.db.server"',
|
||||
},
|
||||
{
|
||||
name => 'RedmineDbUser',
|
||||
req_override => OR_AUTHCFG,
|
||||
args_how => TAKE1,
|
||||
},
|
||||
{
|
||||
name => 'RedmineDbPass',
|
||||
req_override => OR_AUTHCFG,
|
||||
args_how => TAKE1,
|
||||
},
|
||||
{
|
||||
name => 'RedmineDbWhereClause',
|
||||
req_override => OR_AUTHCFG,
|
||||
args_how => TAKE1,
|
||||
},
|
||||
{
|
||||
name => 'RedmineMemcacheServers',
|
||||
req_override => OR_AUTHCFG,
|
||||
args_how => TAKE1,
|
||||
},
|
||||
{
|
||||
name => 'RedmineMemcacheExpirySec',
|
||||
req_override => OR_AUTHCFG,
|
||||
args_how => TAKE1,
|
||||
},
|
||||
{
|
||||
name => 'RedmineMemcacheNamespace',
|
||||
req_override => OR_AUTHCFG,
|
||||
args_how => TAKE1,
|
||||
},
|
||||
);
|
||||
|
||||
sub RedmineDSN {
|
||||
my ($self, $parms, $arg) = @_;
|
||||
$self->{RedmineDSN} = $arg;
|
||||
my $query = "SELECT
|
||||
hashed_password, auth_source_id
|
||||
FROM members, projects, users
|
||||
WHERE
|
||||
projects.id=members.project_id
|
||||
AND users.id=members.user_id
|
||||
AND users.status=1
|
||||
AND login=?
|
||||
AND identifier=? ";
|
||||
$self->{RedmineQuery} = trim($query);
|
||||
}
|
||||
sub RedmineDbUser { set_val('RedmineDbUser', @_); }
|
||||
sub RedmineDbPass { set_val('RedmineDbPass', @_); }
|
||||
sub RedmineDbWhereClause {
|
||||
my ($self, $parms, $arg) = @_;
|
||||
$self->{RedmineQuery} = trim($self->{RedmineQuery}.($arg ? $arg : "")." ");
|
||||
}
|
||||
|
||||
sub RedmineMemcacheServers {
|
||||
my ($self, $parms, $arg) = @_;
|
||||
if ($arg && $CanUseMemcached) {
|
||||
$self->{RedmineMemcached} = new Cache::Memcached {
|
||||
'servers' => [ $arg, ],
|
||||
'debug' => 0,
|
||||
};
|
||||
$self->{RedmineMemcache} = 1;
|
||||
}
|
||||
}
|
||||
|
||||
sub RedmineMemcacheExpirySec { set_val('RedmineMemcacheExpirySec', @_); }
|
||||
|
||||
sub RedmineMemcacheNamespace {
|
||||
my ($self, $parms, $arg) = @_;
|
||||
if ($self->{RedmineMemcache}) {
|
||||
# Undocumented feature of Cache::Memcached, please don't kill me
|
||||
$self->{RedmineMemcached}->{namespace} = $arg;
|
||||
$self->{RedmineMemcached}->{namespace_len} = length $self->{RedmineMemcached}->{namespace};
|
||||
}
|
||||
}
|
||||
|
||||
sub trim {
|
||||
my $string = shift;
|
||||
$string =~ s/\s{2,}/ /g;
|
||||
return $string;
|
||||
}
|
||||
|
||||
sub set_val {
|
||||
my ($key, $self, $parms, $arg) = @_;
|
||||
$self->{$key} = $arg;
|
||||
}
|
||||
|
||||
Apache2::Module::add(__PACKAGE__, \@directives);
|
||||
|
||||
|
||||
my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/;
|
||||
|
||||
sub access_handler {
|
||||
@@ -110,7 +222,7 @@ sub access_handler {
|
||||
}
|
||||
|
||||
my $method = $r->method;
|
||||
return OK unless 1 == $read_only_methods{$method};
|
||||
return OK if defined $read_only_methods{$method};
|
||||
|
||||
my $project_id = get_project_identifier($r);
|
||||
|
||||
@@ -126,7 +238,11 @@ sub authen_handler {
|
||||
my ($res, $redmine_pass) = $r->get_basic_auth_pw();
|
||||
return $res unless $res == OK;
|
||||
|
||||
if (is_member($r->user, $redmine_pass, $r)) {
|
||||
my $project_id = get_project_identifier($r);
|
||||
if (!$project_id) {
|
||||
return FORBIDDEN;
|
||||
}
|
||||
if (is_member($r->user, $redmine_pass, $r, $project_id)) {
|
||||
return OK;
|
||||
} else {
|
||||
$r->note_auth_failure();
|
||||
@@ -138,14 +254,27 @@ sub is_public_project {
|
||||
my $project_id = shift;
|
||||
my $r = shift;
|
||||
|
||||
my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
|
||||
if ($cfg->{RedmineMemcache}) {
|
||||
return 1 if ($cfg->{RedmineMemcached}->get($project_id));
|
||||
}
|
||||
my $dbh = connect_database($r);
|
||||
my $sth = $dbh->prepare(
|
||||
"SELECT * FROM projects WHERE projects.identifier=? and projects.is_public=true;"
|
||||
"SELECT * FROM projects WHERE projects.identifier=? and projects.is_public=true;"
|
||||
);
|
||||
|
||||
$sth->execute($project_id);
|
||||
my $ret = $sth->fetchrow_array ? 1 : 0;
|
||||
$sth->finish();
|
||||
$dbh->disconnect();
|
||||
if ($cfg->{RedmineMemcache}) {
|
||||
if ($cfg->{RedmineMemcacheExpirySec}) {
|
||||
$cfg->{RedmineMemcached}->set($project_id, $ret, $cfg->{RedmineMemcacheExpirySec});
|
||||
} else {
|
||||
$cfg->{RedmineMemcached}->set($project_id, $ret);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$ret;
|
||||
}
|
||||
@@ -169,26 +298,59 @@ sub is_member {
|
||||
my $redmine_user = shift;
|
||||
my $redmine_pass = shift;
|
||||
my $r = shift;
|
||||
my $project_id = shift;
|
||||
|
||||
my $dbh = connect_database($r);
|
||||
my $project_id = get_project_identifier($r);
|
||||
|
||||
my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);
|
||||
|
||||
my $sth = $dbh->prepare(
|
||||
"SELECT hashed_password FROM members, projects, users WHERE projects.id=members.project_id AND users.id=members.user_id AND users.status=1 AND login=? AND identifier=?;"
|
||||
);
|
||||
my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
|
||||
my $usrprojpass;
|
||||
if ($cfg->{RedmineMemcache}) {
|
||||
$usrprojpass = $cfg->{RedmineMemcached}->get($redmine_user.":".$project_id);
|
||||
return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
|
||||
}
|
||||
my $query = $cfg->{RedmineQuery};
|
||||
my $sth = $dbh->prepare($query);
|
||||
$sth->execute($redmine_user, $project_id);
|
||||
|
||||
my $ret;
|
||||
while (my @row = $sth->fetchrow_array) {
|
||||
if ($row[0] eq $pass_digest) {
|
||||
$ret = 1;
|
||||
last;
|
||||
unless ($row[1]) {
|
||||
if ($row[0] eq $pass_digest) {
|
||||
$ret = 1;
|
||||
last;
|
||||
}
|
||||
} elsif ($CanUseLDAPAuth) {
|
||||
my $sthldap = $dbh->prepare(
|
||||
"SELECT host,port,tls,account,account_password,base_dn,attr_login from auth_sources WHERE id = ?;"
|
||||
);
|
||||
$sthldap->execute($row[1]);
|
||||
while (my @rowldap = $sthldap->fetchrow_array) {
|
||||
my $ldap = Authen::Simple::LDAP->new(
|
||||
host => ($rowldap[2] == 1 || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]" : $rowldap[0],
|
||||
port => $rowldap[1],
|
||||
basedn => $rowldap[5],
|
||||
binddn => $rowldap[3] ? $rowldap[3] : "",
|
||||
bindpw => $rowldap[4] ? $rowldap[4] : "",
|
||||
filter => "(".$rowldap[6]."=%s)"
|
||||
);
|
||||
$ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass));
|
||||
}
|
||||
$sthldap->finish();
|
||||
}
|
||||
}
|
||||
$sth->finish();
|
||||
$dbh->disconnect();
|
||||
|
||||
if ($cfg->{RedmineMemcache} and $ret) {
|
||||
if ($cfg->{RedmineMemcacheExpirySec}) {
|
||||
$cfg->{RedmineMemcached}->set($redmine_user.":".$project_id, $pass_digest, $cfg->{RedmineMemcacheExpirySec});
|
||||
} else {
|
||||
$cfg->{RedmineMemcached}->set($redmine_user.":".$project_id, $pass_digest);
|
||||
}
|
||||
}
|
||||
|
||||
$ret;
|
||||
}
|
||||
|
||||
@@ -202,9 +364,9 @@ sub get_project_identifier {
|
||||
|
||||
sub connect_database {
|
||||
my $r = shift;
|
||||
|
||||
my ($dsn, $db_user, $db_pass) = map { $r->dir_config($_) } qw/dsn db_user db_pass/;
|
||||
return DBI->connect($dsn, $db_user, $db_pass);
|
||||
|
||||
my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
|
||||
return DBI->connect($cfg->{RedmineDSN}, $cfg->{RedmineDbUser}, $cfg->{RedmineDbPass});
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
Reference in New Issue
Block a user