| blob | f7481558f9b1001ae03b40ad8fe50af67d55ed16 |
1 /*
2 * mod_authz_svn.c: an Apache mod_dav_svn sub-module to provide path
3 * based authorization for a Subversion repository.
4 *
5 * ====================================================================
6 * Copyright (c) 2003-2005 CollabNet. All rights reserved.
7 *
8 * This software is licensed as described in the file COPYING, which
9 * you should have received as part of this distribution. The terms
10 * are also available at http://subversion.tigris.org/license-1.html.
11 * If newer versions of this license are posted there, you may use a
12 * newer version instead, at your option.
13 *
14 * This software consists of voluntary contributions made by many
15 * individuals. For exact contribution history, see the revision
16 * history and logs, available at http://subversion.tigris.org/.
17 * ====================================================================
18 */
21 \f
22 #include <httpd.h>
23 #include <http_config.h>
24 #include <http_core.h>
25 #include <http_request.h>
26 #include <http_protocol.h>
27 #include <http_log.h>
28 #include <ap_config.h>
29 #include <ap_provider.h>
30 #include <apr_uri.h>
31 #include <mod_dav.h>
51 /*
52 * Configuration
53 */
56 {
60 /* By default keep the fortress secure */
65 }
68 {
71 OR_AUTHCFG,
72 "Set to 'Off' to allow access control to be passed along to "
76 OR_AUTHCFG,
80 OR_AUTHCFG,
81 "Set to 'Off' to disable two special-case behaviours of "
82 "this module: (1) interaction with the 'Satisfy Any' "
83 "directive, and (2) enforcement of the authorization "
84 "policy even when no 'Require' directives are present. "
88 no_auth_when_anon_ok),
89 OR_AUTHCFG,
90 "Set to 'On' to suppress authentication and authorization "
91 "for requests which anonymous users are allowed to perform. "
94 };
96 /*
97 * Get the, possibly cached, svn_authz_t for this request.
98 */
101 {
117 /* If it is an error code that APR can make sense
118 of, then show it, otherwise, pass zero to avoid
119 putting "APR does not understand this error code"
120 in the error log. */
130 /* Cache the open repos for the next request on this connection */
133 }
134 }
136 }
138 /* Check if the current request R is allowed. Upon exit *REPOS_PATH_REF
139 * will contain the path and repository name that an operation was requested
140 * on in the form 'name:path'. *DEST_REPOS_PATH_REF will contain the
141 * destination path if the requested operation was a MOVE or a COPY.
142 * Returns OK when access is allowed, DECLINED when it isn't, or an HTTP_
143 * error code when an error occurred.
144 */
149 {
151 apr_uri_t parsed_dest_uri;
167 /* All methods requiring read access to all subtrees of r->uri */
171 /* All methods requiring read access to r->uri */
179 /* All methods requiring write access to all subtrees of r->uri */
184 /* All methods requiring write access to r->uri */
197 /* Require most strict access for unknown methods */
200 }
214 /* Ensure that we never allow access by dav_err->status */
217 }
219 /* Ignore the URI passed to MERGE, like mod_dav_svn does.
220 * See issue #1821.
221 * XXX: When we start accepting a broader range of DeltaV MERGE
222 * XXX: requests, this should be revisited.
223 */
226 }
236 /* Decline MOVE or COPY when there is no Destination uri, this will
237 * cause failure.
238 */
247 /* If it is not the same location, then we don't allow it.
248 * XXX: Instead we could compare repository uuids, but that
249 * XXX: seems a bit over the top.
250 */
252 }
255 dest_uri,
267 /* Ensure that we never allow access by dav_err->status */
270 }
277 }
279 /* Retrieve/cache authorization file */
282 {
284 }
286 /* Perform authz access control.
287 *
288 * First test the special case where repos_path == NULL, and skip
289 * calling the authz routines in that case. This is an oddity of
290 * the DAV RA method: some requests have no repos_path, but apache
291 * still triggers an authz lookup for the URI.
292 *
293 * However, if repos_path == NULL and the request requires write
294 * access, then perform a global authz lookup. The request is
295 * denied if the user commiting isn't granted any access anywhere
296 * in the repository. This is to avoid operations that involve no
297 * paths (commiting an empty revision, leaving a dangling
298 * transaction in the FS) being granted by default, letting
299 * unauthenticated users write some changes to the repository.
300 * This was issue #2388.
301 *
302 * XXX: For now, requesting access to the entire repository always
303 * XXX: succeeds, until we come up with a good way of figuring
304 * XXX: this out.
305 */
308 {
311 authz_svn_type,
316 /* If it is an error code that APR can make
317 sense of, then show it, otherwise, pass
318 zero to avoid putting "APR does not
319 understand this error code" in the error
320 log. */
329 }
332 }
334 /* XXX: MKCOL, MOVE, DELETE
335 * XXX: Require write access to the parent dir of repos_path.
336 */
338 /* XXX: PUT
339 * XXX: If the path doesn't exist, require write access to the
340 * XXX: parent dir of repos_path.
341 */
343 /* Only MOVE and COPY have a second uri we have to check access to. */
347 }
349 /* Check access on the destination repos_path. Again, skip this if
350 repos_path == NULL (see above for explanations) */
352 {
354 dest_repos_name,
355 dest_repos_path,
357 svn_authz_write
363 /* If it is an error code that APR can make sense
364 of, then show it, otherwise, pass zero to avoid
365 putting "APR does not understand this error code"
366 in the error log. */
375 }
378 }
380 /* XXX: MOVE and COPY, if the path doesn't exist yet, also
381 * XXX: require write access to the parent dir of dest_repos_path.
382 */
385 }
387 /* Log a message indicating the access control decision made about a
388 * request. FILE and LINE should be supplied via the APLOG_MARK macro.
389 * ALLOWED is boolean. REPOS_PATH and DEST_REPOS_PATH are information
390 * about the request. DEST_REPOS_PATH may be NULL. */
396 {
405 }
410 }
411 }
417 }
422 }
423 }
424 }
426 /*
427 * This function is used as a provider to allow mod_dav_svn to bypass the
428 * generation of an apache request when checking GET access from
429 * "mod_dav_svn/authz.c" .
430 */
434 {
444 /* If configured properly, this should never be true, but just in case. */
448 }
450 /* Retrieve authorization file */
455 /* Perform authz access control.
456 * See similarly labeled comment in req_check_access.
457 */
466 /* If it is an error code that APR can make
467 sense of, then show it, otherwise, pass
468 zero to avoid putting "APR does not
469 understand this error code" in the error
470 log. */
478 }
482 }
483 }
488 }
490 /*
491 * Hooks
492 */
495 {
502 /* We are not configured to run */
507 /* It makes no sense to check if a location is both accessible
508 * anonymous and by an authenticated user (in the same request!).
509 */
513 /* If the user is trying to authenticate, let him. If anonymous
514 * access is allowed, so is authenticated access, by definition
515 * of the meaning of '*' in the access file.
516 */
520 /* Given Satisfy Any is in effect, we have to forbid access
521 * to let the auth_checker hook have a go at it.
522 */
524 }
525 }
527 /* If anon access is allowed, return OK */
535 }
538 }
546 }
549 {
556 /* We are not configured to run, or, an earlier module has already
557 * authenticated this request. */
561 /* If anon access is allowed, return OK, preventing later modules
562 * from issuing an HTTP_UNAUTHORIZED. Also pass a note to our
563 * auth_checker hook that access has already been checked. */
569 }
572 }
575 {
582 /* We are not configured to run */
586 /* Previous hook (check_user_id) already did all the work,
587 * and, as a sanity check, r->user hasn't been set since then? */
590 }
598 }
601 }
609 }
611 /*
612 * Module flesh
613 */
616 {
620 /* Our check_user_id hook must be before any module which will return
621 * HTTP_UNAUTHORIZED (mod_auth_basic, etc.), but after mod_ssl, to
622 * give SSLOptions +FakeBasicAuth a chance to work. */
626 AUTHZ_SVN__SUBREQ_BYPASS_PROV_GRP,
627 AUTHZ_SVN__SUBREQ_BYPASS_PROV_NAME,
628 AUTHZ_SVN__SUBREQ_BYPASS_PROV_VER,
630 }
632 module AP_MODULE_DECLARE_DATA authz_svn_module =
633 {
634 STANDARD20_MODULE_STUFF,
640 register_hooks /* register hooks */
641 };