jiangxin · March 28, 2013 13:52
diff --git a/0001-Do-not-check-project-permissions-for-svn-redmine-bin.patch b/0001-Do-not-check-project-permissions-for-svn-redmine-bin.patch
 This module is based on a wrong assumption: repository has the same name
 with it's project. So it's wrong to check user permissions in project.

 We only use this module for authn checking, and use subversion's own
 path based authz instead.

 Signed-off-by: Jiang Xin <[email protected]>
 ---
 extra/svn/Redmine.pm | 39 ++++++++++++---------------------------
 1 file changed, 12 insertions(+), 27 deletions(-)

 diff --git a/extra/svn/Redmine.pm b/extra/svn/Redmine.pm
 index fbaf177..ec6b6e5 100644
 --- a/extra/svn/Redmine.pm
 +++ b/extra/svn/Redmine.pm
 @@ -157,17 +157,11 @@ sub RedmineDSN {
   my ($self, $parms, $arg) = @_;
   $self->{RedmineDSN} = $arg;
   my $query = "SELECT 
 -                 hashed_password, salt, auth_source_id, permissions
 -              FROM projects, users, roles
 +                 hashed_password, salt, auth_source_id
 +              FROM users
               WHERE 
                 users.login=? 
 -                AND projects.identifier=?
 -                AND users.status=1 
 -                AND (
 -                  roles.id IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = users.id AND members.project_id = projects.id AND members.id = member_roles.member_id)
 -                  OR
 -                  (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1'))
 -                ) ";
 +                AND users.status=1";
   $self->{RedmineQuery} = trim($query);
 }
 
 @@ -212,14 +206,6 @@ sub access_handler {
       return FORBIDDEN;
   }
 
 -  my $method = $r->method;
 -  return OK unless defined $read_only_methods{$method};
 -
 -  my $project_id = get_project_identifier($r);
 -
 -  $r->set_handlers(PerlAuthenHandler => [\&OK])
 -      if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
 -
   return OK
 }
 
 @@ -229,7 +215,7 @@ sub authen_handler {
   my ($res, $redmine_pass) =  $r->get_basic_auth_pw();
   return $res unless $res == OK;
 
 -  if (is_member($r->user, $redmine_pass, $r)) {
 +  if (do_authn($r->user, $redmine_pass, $r)) {
       return OK;
   } else {
       $r->note_auth_failure();
 @@ -328,13 +314,12 @@ sub anonymous_role_allows_browse_repository {
 #     return 1 if (stat($repos_path))[2] & 00007;
 # }
 
 -sub is_member {
 +sub do_authn {
   my $redmine_user = shift;
   my $redmine_pass = shift;
   my $r = shift;
 
   my $dbh         = connect_database($r);
 -  my $project_id  = get_project_identifier($r);
 
   my $pass_digest = Digest::SHA::sha1_hex($redmine_pass);
 
 @@ -343,20 +328,20 @@ sub is_member {
   my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
   my $usrprojpass;
   if ($cfg->{RedmineCacheCredsMax}) {
 -    $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode);
 +    $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$access_mode);
     return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
   }
   my $query = $cfg->{RedmineQuery};
   my $sth = $dbh->prepare($query);
 -  $sth->execute($redmine_user, $project_id);
 +  $sth->execute($redmine_user);
 
   my $ret;
 -  while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) {
 +  while (my ($hashed_password, $salt, $auth_source_id) = $sth->fetchrow_array) {
 
       unless ($auth_source_id) {
 	  			my $method = $r->method;
           my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest);
 -					if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
 +					if ($hashed_password eq $salted_password) {
               $ret = 1;
               last;
           }
 @@ -382,7 +367,7 @@ sub is_member {
                 filter  =>      "(".$rowldap[6]."=%s)"
             );
             my $method = $r->method;
 -            $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
 +            $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass));
 
           }
           $sthldap->finish();
 @@ -396,10 +381,10 @@ sub is_member {
 
   if ($cfg->{RedmineCacheCredsMax} and $ret) {
     if (defined $usrprojpass) {
 -      $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
 +      $cfg->{RedmineCacheCreds}->set($redmine_user.":".$access_mode, $pass_digest);
     } else {
       if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) {
 -        $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
 +        $cfg->{RedmineCacheCreds}->set($redmine_user.":".$access_mode, $pass_digest);
         $cfg->{RedmineCacheCredsCount}++;
       } else {
         $cfg->{RedmineCacheCreds}->clear();
 -- 
 1.8.2.61.g7b9a419
	This module is based on a wrong assumption: repository has the same name
	with it's project. So it's wrong to check user permissions in project.

	We only use this module for authn checking, and use subversion's own
	path based authz instead.

	Signed-off-by: Jiang Xin <[email protected]>
	---
	extra/svn/Redmine.pm \| 39 ++++++++++++---------------------------
	1 file changed, 12 insertions(+), 27 deletions(-)

	diff --git a/extra/svn/Redmine.pm b/extra/svn/Redmine.pm
	index fbaf177..ec6b6e5 100644
	--- a/extra/svn/Redmine.pm
	+++ b/extra/svn/Redmine.pm
	@@ -157,17 +157,11 @@ sub RedmineDSN {
	my ($self, $parms, $arg) = @_;
	$self->{RedmineDSN} = $arg;
	my $query = "SELECT
	- hashed_password, salt, auth_source_id, permissions
	- FROM projects, users, roles
	+ hashed_password, salt, auth_source_id
	+ FROM users
	WHERE
	users.login=?
	- AND projects.identifier=?
	- AND users.status=1
	- AND (
	- roles.id IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = users.id AND members.project_id = projects.id AND members.id = member_roles.member_id)
	- OR
	- (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1'))
	- ) ";
	+ AND users.status=1";
	$self->{RedmineQuery} = trim($query);
	}

	@@ -212,14 +206,6 @@ sub access_handler {
	return FORBIDDEN;
	}

	- my $method = $r->method;
	- return OK unless defined $read_only_methods{$method};
	-
	- my $project_id = get_project_identifier($r);
	-
	- $r->set_handlers(PerlAuthenHandler => [\&OK])
	- if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
	-
	return OK
	}

	@@ -229,7 +215,7 @@ sub authen_handler {
	my ($res, $redmine_pass) = $r->get_basic_auth_pw();
	return $res unless $res == OK;

	- if (is_member($r->user, $redmine_pass, $r)) {
	+ if (do_authn($r->user, $redmine_pass, $r)) {
	return OK;
	} else {
	$r->note_auth_failure();
	@@ -328,13 +314,12 @@ sub anonymous_role_allows_browse_repository {
	# return 1 if (stat($repos_path))[2] & 00007;
	# }

	-sub is_member {
	+sub do_authn {
	my $redmine_user = shift;
	my $redmine_pass = shift;
	my $r = shift;

	my $dbh = connect_database($r);
	- my $project_id = get_project_identifier($r);

	my $pass_digest = Digest::SHA::sha1_hex($redmine_pass);

	@@ -343,20 +328,20 @@ sub is_member {
	my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
	my $usrprojpass;
	if ($cfg->{RedmineCacheCredsMax}) {
	- $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode);
	+ $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$access_mode);
	return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
	}
	my $query = $cfg->{RedmineQuery};
	my $sth = $dbh->prepare($query);
	- $sth->execute($redmine_user, $project_id);
	+ $sth->execute($redmine_user);

	my $ret;
	- while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) {
	+ while (my ($hashed_password, $salt, $auth_source_id) = $sth->fetchrow_array) {

	unless ($auth_source_id) {
	my $method = $r->method;
	my $salted_password = Digest::SHA::sha1_hex($salt.$pass_digest);
	- if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) \|\| $permissions =~ /:commit_access/) ) {
	+ if ($hashed_password eq $salted_password) {
	$ret = 1;
	last;
	}
	@@ -382,7 +367,7 @@ sub is_member {
	filter => "(".$rowldap[6]."=%s)"
	);
	my $method = $r->method;
	- $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) \|\| $permissions =~ /:commit_access/));
	+ $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass));

	}
	$sthldap->finish();
	@@ -396,10 +381,10 @@ sub is_member {

	if ($cfg->{RedmineCacheCredsMax} and $ret) {
	if (defined $usrprojpass) {
	- $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
	+ $cfg->{RedmineCacheCreds}->set($redmine_user.":".$access_mode, $pass_digest);
	} else {
	if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) {
	- $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
	+ $cfg->{RedmineCacheCreds}->set($redmine_user.":".$access_mode, $pass_digest);
	$cfg->{RedmineCacheCredsCount}++;
	} else {
	$cfg->{RedmineCacheCreds}->clear();
	--
	1.8.2.61.g7b9a419