subversion/mod_dav_svn/authz.c

   1 /*
   2  * authz.c: authorization related code
   3  *
   4  * ====================================================================
   5  * Copyright (c) 2000-2006 CollabNet.  All rights reserved.
   6  *
   7  * This software is licensed as described in the file COPYING, which
   8  * you should have received as part of this distribution.  The terms
   9  * are also available at http://subversion.tigris.org/license-1.html.
  10  * If newer versions of this license are posted there, you may use a
  11  * newer version instead, at your option.
  12  *
  13  * This software consists of voluntary contributions made by many
  14  * individuals.  For exact contribution history, see the revision
  15  * history and logs, available at http://subversion.tigris.org/.
  16  * ====================================================================
  17  */
  18
  19 #include <http_request.h>
  20 #include <http_log.h>
  21
  22 #include "svn_pools.h"
  23 #include "svn_path.h"
  24
  25 #include "mod_authz_svn.h"
  26 #include "dav_svn.h"
  27
  28
  29 /* Convert incoming REV and PATH from request R into a version-resource URI
  30    for REPOS and perform a GET subrequest on it.  This will invoke any authz
  31    modules loaded into apache.  Return TRUE if the subrequest succeeds, FALSE
  32    otherwise. If REV is SVN_INVALID_REVNUM, then we look at HEAD.
  33 */
  34 static svn_boolean_t
  35 allow_read(request_rec *r,
  36            const dav_svn_repos *repos,
  37            const char *path,
  38            svn_revnum_t rev,
  39            apr_pool_t *pool)
  40 {
  41   const char *uri;
  42   request_rec *subreq;
  43   enum dav_svn__build_what uri_type;
  44   svn_boolean_t allowed = FALSE;
  45   authz_svn__subreq_bypass_func_t allow_read_bypass = NULL;
  46
  47   /* Easy out:  if the admin has explicitly set 'SVNPathAuthz Off',
  48      then this whole callback does nothing. */
  49   if (! dav_svn__get_pathauthz_flag(r))
  50     {
  51       return TRUE;
  52     }
  53
  54   /* If bypass is specified and authz has exported the provider.
  55      Otherwise, we fall through to the full version.  This should be
  56      safer than allowing or disallowing all accesses if there is a
  57      configuration error.
  58      XXX: Is this the proper thing to do in this case? */
  59   allow_read_bypass = dav_svn__get_pathauthz_bypass(r);
  60   if (allow_read_bypass != NULL)
  61     {
  62       if (allow_read_bypass(r,path, repos->repo_name) == OK)
  63         return TRUE;
  64       else
  65         return FALSE;
  66     }
  67
  68   /* If no revnum is specified, assume HEAD. */
  69   if (SVN_IS_VALID_REVNUM(rev))
  70     uri_type = DAV_SVN__BUILD_URI_VERSION;
  71   else
  72     uri_type = DAV_SVN__BUILD_URI_PUBLIC;
  73
  74   /* Build a Version Resource uri representing (rev, path). */
  75   uri = dav_svn__build_uri(repos, uri_type, rev, path, FALSE, pool);
  76
  77   /* Check if GET would work against this uri. */
  78   subreq = ap_sub_req_method_uri("GET", uri, r, r->output_filters);
  79
  80   if (subreq)
  81     {
  82       if (subreq->status == HTTP_OK)
  83         allowed = TRUE;
  84
  85       ap_destroy_sub_req(subreq);
  86     }
  87
  88   return allowed;
  89 }
  90
  91
  92 /* This function implements 'svn_repos_authz_func_t', specifically
  93    for read authorization.
  94
  95    Convert incoming ROOT and PATH into a version-resource URI and
  96    perform a GET subrequest on it.  This will invoke any authz modules
  97    loaded into apache.  Set *ALLOWED to TRUE if the subrequest
  98    succeeds, FALSE otherwise.
  99
 100    BATON must be a pointer to a dav_svn__authz_read_baton.
 101    Use POOL for for any temporary allocation.
 102 */
 103 static svn_error_t *
 104 authz_read(svn_boolean_t *allowed,
 105            svn_fs_root_t *root,
 106            const char *path,
 107            void *baton,
 108            apr_pool_t *pool)
 109 {
 110   dav_svn__authz_read_baton *arb = baton;
 111   svn_revnum_t rev = SVN_INVALID_REVNUM;
 112   const char *revpath = NULL;
 113
 114   /* Our ultimate goal here is to create a Version Resource (VR) url,
 115      which is a url that represents a path within a revision.  We then
 116      send a subrequest to apache, so that any installed authz modules
 117      can allow/disallow the path.
 118
 119      ### That means that we're assuming that any installed authz
 120      module is *only* paying attention to revision-paths, not paths in
 121      uncommitted transactions.  Someday we need to widen our horizons. */
 122
 123   if (svn_fs_is_txn_root(root))
 124     {
 125       /* This means svn_repos_dir_delta2 is comparing two txn trees,
 126          rather than a txn and revision.  It's probably updating a
 127          working copy that contains 'disjoint urls'.
 128
 129          Because the 2nd transaction is likely to have all sorts of
 130          paths linked in from random places, we need to find the
 131          original (rev,path) of each txn path.  That's what needs
 132          authorization.  */
 133
 134       svn_stringbuf_t *path_s = svn_stringbuf_create(path, pool);
 135       const char *lopped_path = "";
 136
 137       /* The path might be copied implicitly, because it's down in a
 138          copied tree.  So we start at path and walk up its parents
 139          asking if anyone was copied, and if so where from.  */
 140       while (! (svn_path_is_empty(path_s->data)
 141                 || ((path_s->len == 1) && (path_s->data[0] == '/'))))
 142         {
 143           SVN_ERR(svn_fs_copied_from(&rev, &revpath, root,
 144                                      path_s->data, pool));
 145
 146           if (SVN_IS_VALID_REVNUM(rev) && revpath)
 147             {
 148               revpath = svn_path_join(revpath, lopped_path, pool);
 149               break;
 150             }
 151
 152           /* Lop off the basename and try again. */
 153           lopped_path = svn_path_join(svn_path_basename
 154                                       (path_s->data, pool), lopped_path, pool);
 155           svn_path_remove_component(path_s);
 156         }
 157
 158       /* If no copy produced this path, its path in the original
 159          revision is the same as its path in this txn. */
 160       if ((rev == SVN_INVALID_REVNUM) && (revpath == NULL))
 161         {
 162           rev = svn_fs_txn_root_base_revision(root);
 163           revpath = path;
 164         }
 165     }
 166   else  /* revision root */
 167     {
 168       rev = svn_fs_revision_root_revision(root);
 169       revpath = path;
 170     }
 171
 172   /* We have a (rev, path) pair to check authorization on. */
 173   *allowed = allow_read(arb->r, arb->repos, revpath, rev, pool);
 174
 175   return SVN_NO_ERROR;
 176 }
 177
 178
 179 svn_repos_authz_func_t
 180 dav_svn__authz_read_func(dav_svn__authz_read_baton *baton)
 181 {
 182   /* Easy out: If the admin has explicitly set 'SVNPathAuthz Off',
 183      then we don't need to do any authorization checks. */
 184   if (! dav_svn__get_pathauthz_flag(baton->r))
 185     return NULL;
 186
 187   return authz_read;
 188 }
 189
 190
 191 svn_boolean_t
 192 dav_svn__allow_read(const dav_resource *resource,
 193                    svn_revnum_t rev,
 194                    apr_pool_t *pool)
 195 {
 196   return allow_read(resource->info->r, resource->info->repos,
 197                     resource->info->repos_path, rev, pool);
 198 }