| blob | d658f10c9a574ee13970940916c2e5c70f8c0bc2 |
1 /*
2 * mod_authz_svn.c: an Apache mod_dav_svn sub-module to provide path
3 * based authorization for a Subversion repository.
4 *
5 * ====================================================================
6 * Copyright (c) 2003-2008 CollabNet. All rights reserved.
7 *
8 * This software is licensed as described in the file COPYING, which
9 * you should have received as part of this distribution. The terms
10 * are also available at http://subversion.tigris.org/license-1.html.
11 * If newer versions of this license are posted there, you may use a
12 * newer version instead, at your option.
13 *
14 * This software consists of voluntary contributions made by many
15 * individuals. For exact contribution history, see the revision
16 * history and logs, available at http://subversion.tigris.org/.
17 * ====================================================================
18 */
21 \f
22 #include <httpd.h>
23 #include <http_config.h>
24 #include <http_core.h>
25 #include <http_request.h>
26 #include <http_protocol.h>
27 #include <http_log.h>
28 #include <ap_config.h>
29 #include <ap_provider.h>
30 #include <apr_uri.h>
31 #include <apr_lib.h>
32 #include <mod_dav.h>
53 /*
54 * Configuration
55 */
59 {
63 /* By default keep the fortress secure */
68 }
71 {
74 OR_AUTHCFG,
75 "Set to 'Off' to allow access control to be passed along to "
79 OR_AUTHCFG,
83 OR_AUTHCFG,
84 "Set to 'Off' to disable two special-case behaviours of "
85 "this module: (1) interaction with the 'Satisfy Any' "
86 "directive, and (2) enforcement of the authorization "
87 "policy even when no 'Require' directives are present. "
91 no_auth_when_anon_ok),
92 OR_AUTHCFG,
93 "Set to 'On' to suppress authentication and authorization "
94 "for requests which anonymous users are allowed to perform. "
98 force_username_case),
99 OR_AUTHCFG,
100 "Set to 'Upper' or 'Lower' to convert the username before "
103 };
105 /*
106 * Get the, possibly cached, svn_authz_t for this request.
107 */
110 {
122 {
126 {
128 /* If it is an error code that APR can make sense
129 of, then show it, otherwise, pass zero to avoid
130 putting "APR does not understand this error code"
131 in the error log. */
139 }
140 else
141 {
142 /* Cache the open repos for the next request on this connection */
145 }
146 }
148 }
150 /* Convert TEXT to upper case if TO_UPPERCASE is TRUE, else
151 converts it to lower case. */
152 static void
154 {
157 {
160 }
161 }
163 /* Return the username to authorize, with case-conversion performed if
164 CONF->force_username_case is set. */
167 {
170 {
174 }
176 }
178 /* Check if the current request R is allowed. Upon exit *REPOS_PATH_REF
179 * will contain the path and repository name that an operation was requested
180 * on in the form 'name:path'. *DEST_REPOS_PATH_REF will contain the
181 * destination path if the requested operation was a MOVE or a COPY.
182 * Returns OK when access is allowed, DECLINED when it isn't, or an HTTP_
183 * error code when an error occurred.
184 */
185 static int
190 {
192 apr_uri_t parsed_dest_uri;
209 {
210 /* All methods requiring read access to all subtrees of r->uri */
214 /* All methods requiring read access to r->uri */
222 /* All methods requiring write access to all subtrees of r->uri */
227 /* All methods requiring write access to r->uri */
240 /* Require most strict access for unknown methods */
243 }
254 {
258 /* Ensure that we never allow access by dav_err->status */
261 }
263 /* Ignore the URI passed to MERGE, like mod_dav_svn does.
264 * See issue #1821.
265 * XXX: When we start accepting a broader range of DeltaV MERGE
266 * XXX: requests, this should be revisited.
267 */
277 {
280 /* Decline MOVE or COPY when there is no Destination uri, this will
281 * cause failure.
282 */
291 {
292 /* If it is not the same location, then we don't allow it.
293 * XXX: Instead we could compare repository uuids, but that
294 * XXX: seems a bit over the top.
295 */
297 }
300 dest_uri,
309 {
313 /* Ensure that we never allow access by dav_err->status */
316 }
323 }
325 /* Retrieve/cache authorization file */
330 /* Perform authz access control.
331 *
332 * First test the special case where repos_path == NULL, and skip
333 * calling the authz routines in that case. This is an oddity of
334 * the DAV RA method: some requests have no repos_path, but apache
335 * still triggers an authz lookup for the URI.
336 *
337 * However, if repos_path == NULL and the request requires write
338 * access, then perform a global authz lookup. The request is
339 * denied if the user commiting isn't granted any access anywhere
340 * in the repository. This is to avoid operations that involve no
341 * paths (commiting an empty revision, leaving a dangling
342 * transaction in the FS) being granted by default, letting
343 * unauthenticated users write some changes to the repository.
344 * This was issue #2388.
345 *
346 * XXX: For now, requesting access to the entire repository always
347 * XXX: succeeds, until we come up with a good way of figuring
348 * XXX: this out.
349 */
352 {
354 repos_path,
355 username_to_authorize,
356 authz_svn_type,
360 {
362 /* If it is an error code that APR can make
363 sense of, then show it, otherwise, pass
364 zero to avoid putting "APR does not
365 understand this error code" in the error
366 log. */
376 }
379 }
381 /* XXX: MKCOL, MOVE, DELETE
382 * XXX: Require write access to the parent dir of repos_path.
383 */
385 /* XXX: PUT
386 * XXX: If the path doesn't exist, require write access to the
387 * XXX: parent dir of repos_path.
388 */
390 /* Only MOVE and COPY have a second uri we have to check access to. */
394 /* Check access on the destination repos_path. Again, skip this if
395 repos_path == NULL (see above for explanations) */
397 {
399 dest_repos_name,
400 dest_repos_path,
401 username_to_authorize,
402 svn_authz_write
407 {
409 /* If it is an error code that APR can make sense
410 of, then show it, otherwise, pass zero to avoid
411 putting "APR does not understand this error code"
412 in the error log. */
421 }
424 }
426 /* XXX: MOVE and COPY, if the path doesn't exist yet, also
427 * XXX: require write access to the parent dir of dest_repos_path.
428 */
431 }
433 /* Log a message indicating the access control decision made about a
434 * request. FILE and LINE should be supplied via the APLOG_MARK macro.
435 * ALLOWED is boolean. REPOS_PATH and DEST_REPOS_PATH are information
436 * about the request. DEST_REPOS_PATH may be NULL. */
437 static void
441 {
446 {
451 else
455 }
456 else
457 {
462 else
466 }
467 }
469 /*
470 * This function is used as a provider to allow mod_dav_svn to bypass the
471 * generation of an apache request when checking GET access from
472 * "mod_dav_svn/authz.c" .
473 */
474 static int
478 {
490 /* If configured properly, this should never be true, but just in case. */
492 {
495 }
497 /* Retrieve authorization file */
502 /* Perform authz access control.
503 * See similarly labeled comment in req_check_access.
504 */
506 {
508 repos_path,
509 username_to_authorize,
514 {
516 /* If it is an error code that APR can make
517 sense of, then show it, otherwise, pass
518 zero to avoid putting "APR does not
519 understand this error code" in the error
520 log. */
528 }
530 {
533 }
534 }
539 }
541 /*
542 * Hooks
543 */
545 static int
547 {
554 /* We are not configured to run */
559 {
560 /* It makes no sense to check if a location is both accessible
561 * anonymous and by an authenticated user (in the same request!).
562 */
566 /* If the user is trying to authenticate, let him. If anonymous
567 * access is allowed, so is authenticated access, by definition
568 * of the meaning of '*' in the access file.
569 */
573 {
574 /* Given Satisfy Any is in effect, we have to forbid access
575 * to let the auth_checker hook have a go at it.
576 */
578 }
579 }
581 /* If anon access is allowed, return OK */
584 {
592 }
600 }
602 static int
604 {
611 /* We are not configured to run, or, an earlier module has already
612 * authenticated this request. */
616 /* If anon access is allowed, return OK, preventing later modules
617 * from issuing an HTTP_UNAUTHORIZED. Also pass a note to our
618 * auth_checker hook that access has already been checked. */
621 {
625 }
628 }
630 static int
632 {
639 /* We are not configured to run */
643 /* Previous hook (check_user_id) already did all the work,
644 * and, as a sanity check, r->user hasn't been set since then? */
650 {
652 {
656 }
658 }
666 }
668 /*
669 * Module flesh
670 */
672 static void
674 {
678 /* Our check_user_id hook must be before any module which will return
679 * HTTP_UNAUTHORIZED (mod_auth_basic, etc.), but after mod_ssl, to
680 * give SSLOptions +FakeBasicAuth a chance to work. */
684 AUTHZ_SVN__SUBREQ_BYPASS_PROV_GRP,
685 AUTHZ_SVN__SUBREQ_BYPASS_PROV_NAME,
686 AUTHZ_SVN__SUBREQ_BYPASS_PROV_VER,
688 }
690 module AP_MODULE_DECLARE_DATA authz_svn_module =
691 {
692 STANDARD20_MODULE_STUFF,
698 register_hooks /* register hooks */
699 };