Indentation fix.
Adirelle
parent
e1577bc897
commit
cf1cc940cc
208
Redmine.pm
208
Redmine.pm
|
|
@ -27,60 +27,60 @@ work on allmost all databases).
|
||||||
|
|
||||||
On debian/ubuntu you must do :
|
On debian/ubuntu you must do :
|
||||||
|
|
||||||
aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl
|
aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl
|
||||||
|
|
||||||
If your Redmine users use LDAP authentication, you will also need
|
If your Redmine users use LDAP authentication, you will also need
|
||||||
Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):
|
Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):
|
||||||
|
|
||||||
aptitude install libauthen-simple-ldap-perl libio-socket-ssl-perl
|
aptitude install libauthen-simple-ldap-perl libio-socket-ssl-perl
|
||||||
|
|
||||||
=head1 CONFIGURATION
|
=head1 CONFIGURATION
|
||||||
|
|
||||||
## This module has to be in your perl path
|
## This module has to be in your perl path
|
||||||
## eg: /usr/lib/perl5/Apache/Authn/Redmine.pm
|
## eg: /usr/lib/perl5/Apache/Authn/Redmine.pm
|
||||||
PerlLoadModule Apache::Authn::Redmine
|
PerlLoadModule Apache::Authn::Redmine
|
||||||
<Location /svn>
|
<Location /svn>
|
||||||
DAV svn
|
DAV svn
|
||||||
SVNParentPath "/var/svn"
|
SVNParentPath "/var/svn"
|
||||||
|
|
||||||
AuthType Basic
|
AuthType Basic
|
||||||
AuthName redmine
|
AuthName redmine
|
||||||
Require valid-user
|
Require valid-user
|
||||||
|
|
||||||
PerlAuthenHandler Apache::Authn::Redmine::authen_handler
|
PerlAuthenHandler Apache::Authn::Redmine::authen_handler
|
||||||
PerlAuthzHandler Apache::Authn::Redmine::authz_handler
|
PerlAuthzHandler Apache::Authn::Redmine::authz_handler
|
||||||
|
|
||||||
## for mysql
|
## for mysql
|
||||||
RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
|
RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
|
||||||
## for postgres
|
## for postgres
|
||||||
# RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
|
# RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
|
||||||
|
|
||||||
RedmineDbUser "redmine"
|
RedmineDbUser "redmine"
|
||||||
RedmineDbPass "password"
|
RedmineDbPass "password"
|
||||||
## Optional where clause (fulltext search would be slow and
|
## Optional where clause (fulltext search would be slow and
|
||||||
## database dependant).
|
## database dependant).
|
||||||
# RedmineDbWhereClause "and members.role_id IN (1,2)"
|
# RedmineDbWhereClause "and members.role_id IN (1,2)"
|
||||||
## Optional credentials cache size
|
## Optional credentials cache size
|
||||||
# RedmineCacheCredsMax 50
|
# RedmineCacheCredsMax 50
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
To be able to browse repository inside redmine, you must add something
|
To be able to browse repository inside redmine, you must add something
|
||||||
like that :
|
like that :
|
||||||
|
|
||||||
<Location /svn-private>
|
<Location /svn-private>
|
||||||
DAV svn
|
DAV svn
|
||||||
SVNParentPath "/var/svn"
|
SVNParentPath "/var/svn"
|
||||||
Order deny,allow
|
Order deny,allow
|
||||||
Deny from all
|
Deny from all
|
||||||
# only allow reading orders
|
# only allow reading orders
|
||||||
<Limit GET PROPFIND OPTIONS REPORT>
|
<Limit GET PROPFIND OPTIONS REPORT>
|
||||||
Allow from redmine.server.ip
|
Allow from redmine.server.ip
|
||||||
</Limit>
|
</Limit>
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
and you will have to use this reposman.rb command line to create repository :
|
and you will have to use this reposman.rb command line to create repository :
|
||||||
|
|
||||||
reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/
|
reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/
|
||||||
|
|
||||||
=head1 MIGRATION FROM OLDER RELEASES
|
=head1 MIGRATION FROM OLDER RELEASES
|
||||||
|
|
||||||
|
|
@ -88,8 +88,8 @@ If you use an older reposman.rb (r860 or before), you need to change
|
||||||
rights on repositories to allow the apache user to read and write
|
rights on repositories to allow the apache user to read and write
|
||||||
S<them :>
|
S<them :>
|
||||||
|
|
||||||
sudo chown -R www-data /var/svn/*
|
sudo chown -R www-data /var/svn/*
|
||||||
sudo chmod -R u+w /var/svn/*
|
sudo chmod -R u+w /var/svn/*
|
||||||
|
|
||||||
And you need to upgrade at least reposman.rb (after r860).
|
And you need to upgrade at least reposman.rb (after r860).
|
||||||
|
|
||||||
|
|
@ -228,37 +228,37 @@ sub RedmineDenyNonMember { set_val('DenyNonMember', @_); }
|
||||||
sub RedmineSuperAdmin { set_val('SuperAdmin', @_); }
|
sub RedmineSuperAdmin { set_val('SuperAdmin', @_); }
|
||||||
|
|
||||||
sub RedmineDbWhereClause {
|
sub RedmineDbWhereClause {
|
||||||
my ($cfg, $parms, $arg) = @_;
|
my ($cfg, $parms, $arg) = @_;
|
||||||
if($arg) {
|
if($arg) {
|
||||||
$cfg->{PermissionQuery} = trim($cfg->{PermissionQuery}."$arg ");
|
$cfg->{PermissionQuery} = trim($cfg->{PermissionQuery}."$arg ");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub RedmineCacheCredsMax {
|
sub RedmineCacheCredsMax {
|
||||||
my ($cfg, $parms, $arg) = @_;
|
my ($cfg, $parms, $arg) = @_;
|
||||||
if ($arg) {
|
if ($arg) {
|
||||||
unless($cfg->{CachePool}) {
|
unless($cfg->{CachePool}) {
|
||||||
$cfg->{CachePool} = APR::Pool->new;
|
$cfg->{CachePool} = APR::Pool->new;
|
||||||
$cfg->{CacheCreds} = APR::Table::make($cfg->{CachePool}, $arg);
|
$cfg->{CacheCreds} = APR::Table::make($cfg->{CachePool}, $arg);
|
||||||
}
|
}
|
||||||
$cfg->{CacheCredsMax} = $arg;
|
$cfg->{CacheCredsMax} = $arg;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub set_val {
|
sub set_val {
|
||||||
my ($key, $cfg, $parms, $arg) = @_;
|
my ($key, $cfg, $parms, $arg) = @_;
|
||||||
$cfg->{$key} = $arg;
|
$cfg->{$key} = $arg;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub push_val {
|
sub push_val {
|
||||||
my ($key, $cfg, $parms, $arg) = @_;
|
my ($key, $cfg, $parms, $arg) = @_;
|
||||||
push @{ $cfg->{$key} }, $arg;
|
push @{ $cfg->{$key} }, $arg;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub trim {
|
sub trim {
|
||||||
my $string = shift;
|
my $string = shift;
|
||||||
$string =~ s/\s{2,}/ /g;
|
$string =~ s/\s{2,}/ /g;
|
||||||
return $string;
|
return $string;
|
||||||
}
|
}
|
||||||
|
|
||||||
Apache2::Module::add(__PACKAGE__, \@directives);
|
Apache2::Module::add(__PACKAGE__, \@directives);
|
||||||
|
|
@ -268,12 +268,12 @@ my @default_read_permissions = ( ':browse_repository' );
|
||||||
my @default_write_permissions = ( ':commit_access' );
|
my @default_write_permissions = ( ':commit_access' );
|
||||||
|
|
||||||
sub authen_handler {
|
sub authen_handler {
|
||||||
my $r = shift;
|
my $r = shift;
|
||||||
|
|
||||||
unless ($r->some_auth_required) {
|
unless ($r->some_auth_required) {
|
||||||
$r->log_reason("No authentication has been configured");
|
$r->log_reason("No authentication has been configured");
|
||||||
return FORBIDDEN;
|
return FORBIDDEN;
|
||||||
}
|
}
|
||||||
|
|
||||||
my ($res, $password) = $r->get_basic_auth_pw();
|
my ($res, $password) = $r->get_basic_auth_pw();
|
||||||
my $reason;
|
my $reason;
|
||||||
|
|
@ -315,7 +315,7 @@ sub authen_handler {
|
||||||
$r->log_reason($reason) if defined($reason);
|
$r->log_reason($reason) if defined($reason);
|
||||||
$r->note_basic_auth_failure unless $res == OK;
|
$r->note_basic_auth_failure unless $res == OK;
|
||||||
|
|
||||||
return $res;
|
return $res;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -348,18 +348,18 @@ sub check_login {
|
||||||
unless defined $host;
|
unless defined $host;
|
||||||
|
|
||||||
# Connect to the LDAP server
|
# Connect to the LDAP server
|
||||||
my $ldap = Authen::Simple::LDAP->new(
|
my $ldap = Authen::Simple::LDAP->new(
|
||||||
host => is_true($tls) ? "ldaps://$host:$port" : $host,
|
host => is_true($tls) ? "ldaps://$host:$port" : $host,
|
||||||
port => $port,
|
port => $port,
|
||||||
basedn => $base_dn,
|
basedn => $base_dn,
|
||||||
binddn => $account || "",
|
binddn => $account || "",
|
||||||
bindpw => $account_password || "",
|
bindpw => $account_password || "",
|
||||||
filter => '('.$attr_login.'=%s)'
|
filter => '('.$attr_login.'=%s)'
|
||||||
);
|
);
|
||||||
|
|
||||||
# Finally check user login
|
# Finally check user login
|
||||||
return (AUTH_REQUIRED, "LDAP authentication failed (user: '$user', server: '$host')")
|
return (AUTH_REQUIRED, "LDAP authentication failed (user: '$user', server: '$host')")
|
||||||
unless $ldap->authenticate($user, $password);
|
unless $ldap->authenticate($user, $password);
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
# Database authentication
|
# Database authentication
|
||||||
|
|
@ -380,36 +380,36 @@ sub check_login {
|
||||||
# check if authentication is forced
|
# check if authentication is forced
|
||||||
sub is_authentication_forced {
|
sub is_authentication_forced {
|
||||||
my $dbh = shift;
|
my $dbh = shift;
|
||||||
return is_true($dbh->selectrow_array("SELECT value FROM settings WHERE settings.name = 'login_required'"));
|
return is_true($dbh->selectrow_array("SELECT value FROM settings WHERE settings.name = 'login_required'"));
|
||||||
}
|
}
|
||||||
|
|
||||||
sub authz_handler {
|
sub authz_handler {
|
||||||
my $r = shift;
|
my $r = shift;
|
||||||
|
|
||||||
unless ($r->some_auth_required) {
|
unless ($r->some_auth_required) {
|
||||||
$r->log_reason("No authentication has been configured");
|
$r->log_reason("No authentication has been configured");
|
||||||
return FORBIDDEN;
|
return FORBIDDEN;
|
||||||
}
|
}
|
||||||
|
|
||||||
my $dbh = connect_database($r);
|
my $dbh = connect_database($r);
|
||||||
my $cfg = get_config($r);
|
my $cfg = get_config($r);
|
||||||
|
|
||||||
my ($identifier, $project_id, $is_public, $status) = get_project_data($r, $dbh);
|
my ($identifier, $project_id, $is_public, $status) = get_project_data($r, $dbh);
|
||||||
$is_public = is_true($is_public);
|
$is_public = is_true($is_public);
|
||||||
|
|
||||||
my($res, $reason) = FORBIDDEN;
|
my($res, $reason) = FORBIDDEN;
|
||||||
|
|
||||||
unless(defined($project_id)) {
|
unless(defined($project_id)) {
|
||||||
# Unknown project
|
# Unknown project
|
||||||
$res = DECLINED;
|
$res = DECLINED;
|
||||||
$reason = "not a redmine project";
|
$reason = "not a redmine project";
|
||||||
|
|
||||||
} elsif($status != 1 && !is_read_request($r)) {
|
} elsif($status != 1 && !is_read_request($r)) {
|
||||||
# Write operation on archived project is forbidden
|
# Write operation on archived project is forbidden
|
||||||
$reason = "write operations on inactive project '$identifier' are forbidden";
|
$reason = "write operations on inactive project '$identifier' are forbidden";
|
||||||
|
|
||||||
} elsif(!$r->user) {
|
} elsif(!$r->user) {
|
||||||
# Anonymous access
|
# Anonymous access
|
||||||
$res = AUTH_REQUIRED;
|
$res = AUTH_REQUIRED;
|
||||||
$reason = "anonymous access to '$identifier' denied";
|
$reason = "anonymous access to '$identifier' denied";
|
||||||
|
|
||||||
|
|
@ -419,19 +419,19 @@ sub authz_handler {
|
||||||
$res = OK if $permissions && check_permissions($r, $permissions);
|
$res = OK if $permissions && check_permissions($r, $permissions);
|
||||||
}
|
}
|
||||||
|
|
||||||
# Force login if failed
|
# Force login if failed
|
||||||
$r->note_auth_failure unless $res == OK;
|
$r->note_auth_failure unless $res == OK;
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
# Logged in user
|
# Logged in user
|
||||||
my $user = $r->user;
|
my $user = $r->user;
|
||||||
|
|
||||||
if($cfg->{SuperAdmin} && is_true($dbh->selectrow_array("SELECT admin FROM users WHERE login = ?", undef, $user))) {
|
if($cfg->{SuperAdmin} && is_true($dbh->selectrow_array("SELECT admin FROM users WHERE login = ?", undef, $user))) {
|
||||||
# Adminstrators have all the rights
|
# Adminstrators have all the rights
|
||||||
$res = OK;
|
$res = OK;
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
# Really check user permissions
|
# Really check user permissions
|
||||||
my @permissions = ();
|
my @permissions = ();
|
||||||
|
|
||||||
# Membership permissions
|
# Membership permissions
|
||||||
|
|
@ -446,7 +446,7 @@ sub authz_handler {
|
||||||
|
|
||||||
# Look for the permissions
|
# Look for the permissions
|
||||||
$res = OK if check_permissions($r, @permissions);
|
$res = OK if check_permissions($r, @permissions);
|
||||||
}
|
}
|
||||||
|
|
||||||
if($res == OK) {
|
if($res == OK) {
|
||||||
# Put successful credentials in cache
|
# Put successful credentials in cache
|
||||||
|
|
@ -457,16 +457,16 @@ sub authz_handler {
|
||||||
} else {
|
} else {
|
||||||
$reason = "insufficient permissions (user: '$user', project: '$identifier')";
|
$reason = "insufficient permissions (user: '$user', project: '$identifier')";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Log what we have done
|
# Log what we have done
|
||||||
if($res == OK) {
|
if($res == OK) {
|
||||||
$r->log->debug("access granted: user '", ($r->user || 'anonymous'), "', project '$identifier', method: '", $r->method, "'") if $res == OK;
|
$r->log->debug("access granted: user '", ($r->user || 'anonymous'), "', project '$identifier', method: '", $r->method, "'") if $res == OK;
|
||||||
} elsif(defined $reason) {
|
} elsif(defined $reason) {
|
||||||
$r->log_reason($reason);
|
$r->log_reason($reason);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $res;
|
return $res;
|
||||||
}
|
}
|
||||||
|
|
||||||
# get the project identifier
|
# get the project identifier
|
||||||
|
|
@ -480,7 +480,7 @@ sub get_project_identifier {
|
||||||
($identifier) = $r->uri =~ m{^\Q$location\E/*([^/]+)};
|
($identifier) = $r->uri =~ m{^\Q$location\E/*([^/]+)};
|
||||||
}
|
}
|
||||||
|
|
||||||
return $identifier;
|
return $identifier;
|
||||||
}
|
}
|
||||||
|
|
||||||
# tell if the given request is a read operation
|
# tell if the given request is a read operation
|
||||||
|
|
@ -517,7 +517,7 @@ sub get_project_data {
|
||||||
my $r = shift;
|
my $r = shift;
|
||||||
my $dbh = shift;
|
my $dbh = shift;
|
||||||
|
|
||||||
my $identifier = get_project_identifier($r);
|
my $identifier = get_project_identifier($r);
|
||||||
return $identifier, $dbh->selectrow_array("SELECT id, is_public, status FROM projects WHERE identifier = ?", undef, $identifier);
|
return $identifier, $dbh->selectrow_array("SELECT id, is_public, status FROM projects WHERE identifier = ?", undef, $identifier);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -539,7 +539,7 @@ sub connect_database {
|
||||||
# tell if a value returned from SQL is "true"
|
# tell if a value returned from SQL is "true"
|
||||||
sub is_true {
|
sub is_true {
|
||||||
my $value = shift;
|
my $value = shift;
|
||||||
return defined($value) && ($value == 1 || $value eq "t");
|
return defined($value) && ($value == 1 || $value eq "t");
|
||||||
}
|
}
|
||||||
|
|
||||||
# build credential cache key
|
# build credential cache key
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue