diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/authz.c trunk/subversion/mod_dav_svn/authz.c --- tags/svn-trunk-r20114/subversion/mod_dav_svn/authz.c 1970-01-01 02:00:00.000000000 +0200 +++ trunk/subversion/mod_dav_svn/authz.c 2006-07-17 23:31:30.000000000 +0300 @@ -0,0 +1,273 @@ +/* + * authz.c: mod_dav_svn native path-based authorization + * + * ==================================================================== + * Copyright (c) 2003-2006 CollabNet. All rights reserved. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at http://subversion.tigris.org/license-1.html. + * If newer versions of this license are posted there, you may use a + * newer version instead, at your option. + * + * This software consists of voluntary contributions made by many + * individuals. For exact contribution history, see the revision + * history and logs, available at http://subversion.tigris.org/. + * ==================================================================== + */ + + + +#include +#include + +#include "svn_dav.h" + +#include "dav_svn.h" + +static int check_access(const char *repos_name, + const char *repos_path, + request_rec* r, + svn_repos_authz_access_t required_access) +{ + const char *authz_file = NULL; + svn_authz_t *access_conf = NULL; + svn_error_t *svn_err; + dav_error *dav_err; + const char *cache_key; + void *user_data; + svn_boolean_t access_granted; + char errbuf[128]; + + /* If native authz is off, there's nothing to do. Return DONE + * instead of OK to indicate that no checks have really been done. + */ + if (!dav_svn_get_native_authz_flag(r)) + return DONE; + + authz_file = dav_svn_get_native_authz_file(r); + /* If access file had not been specified, the default + behavior is to allow access. + XXX: is this right? */ + if(authz_file == NULL) + return OK; + + /* Retrieve/cache authorization file */ + cache_key = apr_pstrcat(r->pool, "mod_dav_svn:", authz_file, NULL); + apr_pool_userdata_get(&user_data, cache_key, r->connection->pool); + access_conf = user_data; + if (access_conf == NULL) { + svn_err = svn_repos_authz_read(&access_conf, authz_file, + TRUE, r->connection->pool); + if (svn_err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, + /* If it is an error code that APR can make sense + of, then show it, otherwise, pass zero to avoid + putting "APR does not understand this error code" + in the error log. */ + ((svn_err->apr_err >= APR_OS_START_USERERR && + svn_err->apr_err < APR_OS_START_CANONERR) ? + 0 : svn_err->apr_err), + r, "Failed to load the SVNNativeAuthzFile: %s", + svn_err_best_message(svn_err, + errbuf, sizeof(errbuf))); + svn_error_clear(svn_err); + + return DECLINED; + } + + /* Cache the open repos for the next request on this connection */ + apr_pool_userdata_set(access_conf, cache_key, + NULL, r->connection->pool); + } + + /* Perform authz access control. */ + svn_err = svn_repos_authz_check_access(access_conf, repos_name, + repos_path, r->user, + required_access, + &access_granted, + r->pool); + + if (svn_err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, + /* If it is an error code that APR can make + sense of, then show it, otherwise, pass + zero to avoid putting "APR does not + understand this error code" in the error + log. */ + ((svn_err->apr_err >= APR_OS_START_USERERR && + svn_err->apr_err < APR_OS_START_CANONERR) ? + 0 : svn_err->apr_err), + r, "Failed to perform access control: %s", + svn_err_best_message(svn_err, errbuf, sizeof(errbuf))); + svn_error_clear(svn_err); + + return DECLINED; + } + + if (!access_granted) + return DECLINED; + + return OK; +} + +/* Log a message indicating the access control decision made about a + * request. FILE and LINE should be supplied via the APLOG_MARK macro. + * ALLOWED is boolean. REPOS_PATH and DEST_REPOS_PATH are information + * about the request. DEST_REPOS_PATH may be NULL. */ +static void log_access_verdict(const char *file, int line, + const request_rec *r, + int allowed, + const char *repos_path, + svn_repos_authz_access_t required_access) +{ + int level = allowed ? APLOG_INFO : APLOG_ERR; + const char *verdict = allowed ? "granted" : "denied"; + + char access_str[4] = { 0, 0, 0, 0 }; + int access_idx = 0; + + if (required_access & svn_authz_read) + access_str[access_idx++] = 'r'; + + if (required_access & svn_authz_write) + access_str[access_idx++] = 'w'; + + if (required_access & svn_authz_recursive) + access_str[access_idx++] = 'R'; + + if (repos_path == NULL) + repos_path = ""; + + if (r->user) + { + ap_log_rerror(file, line, level, 0, r, + "[native] Access %s: '%s' %s %s %s", verdict, r->user, + r->method, repos_path, access_str); + } + else + { + ap_log_rerror(file, line, level, 0, r, + "[native] Access %s: - %s %s %s", verdict, + r->method, repos_path, access_str); + } +} + +dav_error * +dav_svn_check_access(const char *repos_name, + const char *repos_path, + request_rec *r, + svn_repos_authz_access_t required_access) +{ + int status; + + status = check_access(repos_name, repos_path, r, required_access); + + /* If no checks had been done, native authz is off, so don't log + * a possibly misleading authorization verdict. + */ + if (status == DONE) + return NULL; + + if(status == DECLINED) + { + log_access_verdict(APLOG_MARK, r, 0, repos_path, required_access); + ap_note_auth_failure(r); // XXX: need this? + + // XXX: need better error message + return dav_svn__new_error_tag(r->pool, HTTP_FORBIDDEN, 0, + "Insufficient rights to access resource.", + SVN_DAV_ERROR_NAMESPACE, + SVN_DAV_ERROR_TAG); + +} + + log_access_verdict(APLOG_MARK, r, 1, repos_path, required_access); + + return NULL; +} + +#if 0 +dav_error * +dav_svn_check_resource_access(dav_resource *resource, + svn_repos_authz_access_t required_access) +{ + { + char access[6] = { 0 }; + int access_idx = 0; + + request_rec* r = resource->info->r; + + if( required_access & svn_authz_read ) + access[access_idx++] = 'r'; + + if( required_access & svn_authz_write ) + access[access_idx++] = 'w'; + + if( required_access & svn_authz_recursive ) + access[access_idx++] = 'R'; + + if( r->user ) + { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "[native] resource access: '%s' %s %s access:%s", + r->user, r->method, resource->info->repos_path, access); + } + else + { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "[native] resource access: - %s %s access:%s", + r->method, resource->info->repos_path, access); + } + } + + return dav_svn_check_access(resource->info->repos->repo_name, + resource->info->repos_path, + resource->info->r, + required_access); +} + +dav_error * +dav_svn_check_resource_parent_access(dav_resource *resource, + svn_repos_authz_access_t required_access) +{ + char* parent_path = NULL; + + + + { + char access[6] = { 0 }; + int access_idx = 0; + + request_rec* r = resource->info->r; + + if( required_access & svn_authz_read ) + access[access_idx++] = 'r'; + + if( required_access & svn_authz_write ) + access[access_idx++] = 'w'; + + if( required_access & svn_authz_recursive ) + access[access_idx++] = 'R'; + + if( r->user ) + { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "[native] resource access: '%s' %s %s access:%s", + r->user, r->method, resource->info->repos_path, access); + } + else + { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "[native] resource access: - %s %s access:%s", + r->method, resource->info->repos_path, access); + } + } + + return dav_svn_check_access(resource->info->repos->repo_name, + resource->info->repos_path, + resource->info->r, + required_access); +} +#endif + diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/authz.lo trunk/subversion/mod_dav_svn/authz.lo --- tags/svn-trunk-r20114/subversion/mod_dav_svn/authz.lo 1970-01-01 02:00:00.000000000 +0200 +++ trunk/subversion/mod_dav_svn/authz.lo 2006-07-17 23:31:38.000000000 +0300 @@ -0,0 +1,12 @@ +# subversion/mod_dav_svn/authz.lo - a libtool object file +# Generated by ltmain.sh - GNU libtool 1.5.22 (1.1220.2.365 2005/12/18 22:14:06) +# +# Please DO NOT delete this file! +# It is necessary for linking the library. + +# Name of the PIC object. +pic_object='.libs/authz.o' + +# Name of the non-PIC object. +non_pic_object='authz.o' + diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/dav_svn.h trunk/subversion/mod_dav_svn/dav_svn.h --- tags/svn-trunk-r20114/subversion/mod_dav_svn/dav_svn.h 2006-06-21 13:11:01.000000000 +0300 +++ trunk/subversion/mod_dav_svn/dav_svn.h 2006-07-17 21:11:48.000000000 +0300 @@ -282,7 +282,12 @@ SVNParentPath allowed? */ svn_boolean_t dav_svn_get_list_parentpath_flag(request_rec *r); +/* for the repository referred to by this request, is native authz active? */ +svn_boolean_t dav_svn_get_native_authz_flag(request_rec *r); +/* for the repository referred to by this request, where is the access + file for native authz */ +const char *dav_svn_get_native_authz_file(request_rec *r); /* SPECIAL URI @@ -658,6 +663,14 @@ int http_status, request_rec *r); +/* Native path-based authorization */ + +dav_error * +dav_svn_check_access(const char *repos_name, + const char *repos_path, + request_rec *r, + svn_repos_authz_access_t required_access); + #ifdef __cplusplus } #endif /* __cplusplus */ diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/lock.c trunk/subversion/mod_dav_svn/lock.c --- tags/svn-trunk-r20114/subversion/mod_dav_svn/lock.c 2006-06-21 13:11:01.000000000 +0300 +++ trunk/subversion/mod_dav_svn/lock.c 2006-07-18 02:54:14.000000000 +0300 @@ -656,12 +656,31 @@ svn_error_t *serr; dav_error *derr; - /* If the resource's fs path is unreadable, we don't allow a lock to - be created on it. */ - if (! dav_svn_allow_read(resource, SVN_INVALID_REVNUM, resource->pool)) - return dav_new_error(resource->pool, HTTP_FORBIDDEN, - DAV_ERR_LOCK_SAVE_LOCK, - "Path is not accessible."); + /* XXX: This whole if(...) is a hack untill we introduce a + * dav_svn_allow_write() function - LOCK command needs write + * access to resource. mod_authz_svn, however had already + * authenticated a write. + */ + + if (dav_svn_get_native_authz_flag(resource->info->r)) + { + /* Path-based authorization: LOCK needs write access to resource */ + derr = dav_svn_check_access(resource->info->repos->repo_name, + resource->info->repos_path, + resource->info->r, + svn_authz_write); + if (derr) + return derr; + } + else + { + /* If the resource's fs path is unreadable, we don't allow a lock to + be created on it. */ + if (! dav_svn_allow_read(resource, SVN_INVALID_REVNUM, resource->pool)) + return dav_new_error(resource->pool, HTTP_FORBIDDEN, + DAV_ERR_LOCK_SAVE_LOCK, + "Path is not accessible."); + } if (lock->next) return dav_new_error(resource->pool, HTTP_BAD_REQUEST, @@ -822,12 +841,27 @@ if (info->keep_locks) return 0; - /* If the resource's fs path is unreadable, we don't allow a lock to - be removed from it. */ - if (! dav_svn_allow_read(resource, SVN_INVALID_REVNUM, resource->pool)) - return dav_new_error(resource->pool, HTTP_FORBIDDEN, - DAV_ERR_LOCK_SAVE_LOCK, - "Path is not accessible."); + if (dav_svn_get_native_authz_flag(resource->info->r)) + { + /* Path-based authorization: UNLOCK needs write access to resource */ + dav_error *derr; + + derr = dav_svn_check_access(resource->info->repos->repo_name, + resource->info->repos_path, + resource->info->r, + svn_authz_write); + if (derr) + return derr; + } + else + { + /* If the resource's fs path is unreadable, we don't allow a lock to + be removed from it. */ + if (! dav_svn_allow_read(resource, SVN_INVALID_REVNUM, resource->pool)) + return dav_new_error(resource->pool, HTTP_FORBIDDEN, + DAV_ERR_LOCK_SAVE_LOCK, + "Path is not accessible."); + } if (locktoken == NULL) { diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/mod_dav_svn.c trunk/subversion/mod_dav_svn/mod_dav_svn.c --- tags/svn-trunk-r20114/subversion/mod_dav_svn/mod_dav_svn.c 2006-06-21 13:11:01.000000000 +0300 +++ trunk/subversion/mod_dav_svn/mod_dav_svn.c 2006-06-21 13:20:51.000000000 +0300 @@ -66,6 +66,9 @@ enum dav_svn_flag do_path_authz; /* whether GET subrequests are active */ enum dav_svn_flag list_parentpath; /* whether to allow GET of parentpath */ + enum dav_svn_flag do_native_authz; /* whether native authz is active */ + const char *native_authz_file; /* rule file for native authz */ + } dav_svn_dir_conf; #define INHERIT_VALUE(parent, child, field) \ @@ -139,6 +142,9 @@ newconf->autoversioning = INHERIT_VALUE(parent, child, autoversioning); newconf->do_path_authz = INHERIT_VALUE(parent, child, do_path_authz); newconf->list_parentpath = INHERIT_VALUE(parent, child, list_parentpath); + newconf->do_native_authz = INHERIT_VALUE(parent, child, do_native_authz); + newconf->native_authz_file = INHERIT_VALUE(parent, child, + native_authz_file); return newconf; } @@ -189,7 +195,6 @@ return NULL; } - static const char *dav_svn_list_parentpath_cmd(cmd_parms *cmd, void *config, int arg) { @@ -203,7 +208,6 @@ return NULL; } - static const char *dav_svn_path_cmd(cmd_parms *cmd, void *config, const char *arg1) { @@ -218,7 +222,6 @@ return NULL; } - static const char *dav_svn_parent_path_cmd(cmd_parms *cmd, void *config, const char *arg1) { @@ -264,6 +267,29 @@ return NULL; } +static const char *dav_svn_native_authz_cmd(cmd_parms *cmd, void *config, + int arg) +{ + dav_svn_dir_conf *conf = config; + + if (arg) + conf->do_native_authz = DAV_SVN_FLAG_ON; + else + conf->do_native_authz = DAV_SVN_FLAG_OFF; + + return NULL; +} +static const char *dav_svn_native_authz_file_cmd(cmd_parms *cmd, void *config, + const char *arg1) +{ + dav_svn_dir_conf *conf = config; + + conf->native_authz_file + = svn_path_canonicalize(apr_pstrdup(cmd->pool, arg1), cmd->pool); + + return NULL; +} + /** Accessor functions for the module's configuration state **/ @@ -375,6 +401,22 @@ return conf->list_parentpath == DAV_SVN_FLAG_ON; } +svn_boolean_t dav_svn_get_native_authz_flag(request_rec *r) +{ + dav_svn_dir_conf *conf; + + conf = ap_get_module_config(r->per_dir_config, &dav_svn_module); + return conf->do_native_authz == DAV_SVN_FLAG_ON; +} + +const char *dav_svn_get_native_authz_file(request_rec *r) +{ + dav_svn_dir_conf *conf; + + conf = ap_get_module_config(r->per_dir_config, &dav_svn_module); + return conf->native_authz_file; +} + static void merge_xml_filter_insert(request_rec *r) { /* We only care about MERGE and DELETE requests. */ @@ -527,6 +569,17 @@ AP_INIT_FLAG("SVNListParentPath", dav_svn_list_parentpath_cmd, NULL, ACCESS_CONF|RSRC_CONF, "allow GET of SVNParentPath."), + /* per directory/location */ + AP_INIT_FLAG("SVNNativeAuthz", dav_svn_native_authz_cmd, NULL, + ACCESS_CONF|RSRC_CONF, + "use mod_dav_svn native path-based authorization"), + + /* per directory/location */ + AP_INIT_TAKE1("SVNNativeAuthzFile", dav_svn_native_authz_file_cmd, NULL, + ACCESS_CONF|RSRC_CONF, + "Text file containing permissions of repository paths " + "for mod_dav_svn native path-based authorization"), + { NULL } }; diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/repos.c trunk/subversion/mod_dav_svn/repos.c --- tags/svn-trunk-r20114/subversion/mod_dav_svn/repos.c 2006-06-21 13:11:01.000000000 +0300 +++ trunk/subversion/mod_dav_svn/repos.c 2006-07-18 01:56:35.000000000 +0300 @@ -1481,6 +1481,27 @@ if (err) return err; +#ifdef SVN_DEBUG +#if 0 + /* Perform native authz for dav_svn_get_resource(). This call is just + * for debugging purposes to trace resource lookups vs. native authz + * lookups. + */ + if (dav_svn_get_native_authz_flag(r)) + { + err = dav_svn_check_access(repos_name, repos_path, r, + svn_authz_read|svn_authz_generic); + if (err) + return err; + } +#endif + + ap_log_rerror (APLOG_MARK, APLOG_INFO, 0, r, + "dav_svn_get_resource(): %s %s %s (%s)", + (r->user ? r->user : "-"), + r->method, repos_path, r->uri); +#endif + /* The path that we will eventually try to open as an svn repository. Normally defined by the SVNPath directive. */ fs_path = dav_svn_get_fs_path(r); @@ -2911,6 +2932,17 @@ "MKCOL called on regular resource, but " "autoversioning is not active."); + /* Path-based authorization: MKCOL requires write access to the + * parent directory of the new resource. + */ + err = dav_svn_check_access(resource->info->repos->repo_name, + get_parent_path(resource->info->repos_path, + resource->pool), + resource->info->r, + svn_authz_write); + if (err) + return err; + /* ### note that the parent was checked out at some point, and this ### is being preformed relative to the working rsrc for that parent */ @@ -2986,6 +3018,26 @@ "COPY called on regular resource, but " "autoversioning is not active."); + /* Path-based authorization: COPY requires recursive read access + * to the source resource and write access to the parent directory + * of the destivation resource. + */ + + err = dav_svn_check_access(src->info->repos->repo_name, + src->info->repos_path, + src->info->r, + svn_authz_read|svn_authz_recursive); + if (err) + return err; + + err = dav_svn_check_access(dst->info->repos->repo_name, + get_parent_path(dst->info->repos_path, + dst->pool), + dst->info->r, + svn_authz_write); + if (err) + return err; + /* Auto-versioning copy of regular resource: */ if (dst->type == DAV_RESOURCE_TYPE_REGULAR) { @@ -3063,10 +3115,36 @@ /* Handle activity deletions (early exit). */ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY) { + /* Path-based authorization: DELETE of an activity requires + * a global write access to the repository. + * + * XXX: Given the UUID of an activity is unique and there are + * no malicious users, checking for global write access to + * the repository on DELETE is not neccesary as it has already + * been checked on MKACTIVITY. + * -- arteme + */ + err = dav_svn_check_access(resource->info->repos->repo_name, + NULL, /* global repository access */ + resource->info->r, + svn_authz_write); + if (err) + return err; + return dav_svn_delete_activity(resource->info->repos, resource->info->root.activity_id); } + /* Path-based authorization: DELETE requires recursive write access + * to the resource. + */ + err = dav_svn_check_access(resource->info->repos->repo_name, + resource->info->repos_path, + resource->info->r, + svn_authz_write|svn_authz_recursive); + if (err) + return err; + /* ### note that the parent was checked out at some point, and this ### is being preformed relative to the working rsrc for that parent */ @@ -3183,6 +3261,26 @@ "MOVE only allowed on two public URIs, and " "autoversioning must be active."); + /* Path-based authorization: MOVE requires recursive write access + * to the source resource and write access to the parent directory + * of the destivation resource. + */ + + err = dav_svn_check_access(src->info->repos->repo_name, + src->info->repos_path, + src->info->r, + svn_authz_write|svn_authz_recursive); + if (err) + return err; + + err = dav_svn_check_access(dst->info->repos->repo_name, + get_parent_path(dst->info->repos_path, + dst->pool), + dst->info->r, + svn_authz_write); + if (err) + return err; + /* Change the dst VCR into a WR, in place. This creates a txn and changes dst->info->root from a rev-root into a txn-root. */ err = dav_svn_checkout(dst, diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/update.c trunk/subversion/mod_dav_svn/update.c --- tags/svn-trunk-r20114/subversion/mod_dav_svn/update.c 2006-06-21 13:11:01.000000000 +0300 +++ trunk/subversion/mod_dav_svn/update.c 2006-07-17 11:57:06.000000000 +0300 @@ -139,15 +139,29 @@ /* Build a Version Resource uri representing (rev, path). */ uri = dav_svn_build_uri(repos, uri_type, rev, path, FALSE, pool); - /* Check if GET would work against this uri. */ - subreq = ap_sub_req_method_uri("GET", uri, r, r->output_filters); - - if (subreq) + if (dav_svn_get_native_authz_flag(r)) { - if (subreq->status == HTTP_OK) + /* Do native auhorization lookup */ + dav_error *err = dav_svn_check_access(repos->repo_name, path, r, + svn_authz_read); + + if (! err) allowed = TRUE; - ap_destroy_sub_req(subreq); + /* XXX: need to cleanup dav_error? */ + } + else + { + /* Check if GET would work against this uri. */ + subreq = ap_sub_req_method_uri("GET", uri, r, r->output_filters); + + if (subreq) + { + if (subreq->status == HTTP_OK) + allowed = TRUE; + + ap_destroy_sub_req(subreq); + } } return allowed; diff --exclude=.svn -ruN tags/svn-trunk-r20114/subversion/mod_dav_svn/version.c trunk/subversion/mod_dav_svn/version.c --- tags/svn-trunk-r20114/subversion/mod_dav_svn/version.c 2006-06-21 13:11:01.000000000 +0300 +++ trunk/subversion/mod_dav_svn/version.c 2006-07-17 16:54:57.000000000 +0300 @@ -247,6 +247,16 @@ dav_error *derr; dav_svn_uri_info parse; + /* Path-based authorization: CHECKOUT requires write access + * to the resource. + */ + derr = dav_svn_check_access(resource->info->repos->repo_name, + resource->info->repos_path, + resource->info->r, + svn_authz_write); + if (derr) + return derr; + /* Auto-Versioning Stuff */ if (auto_checkout) { @@ -1333,7 +1343,18 @@ const apr_xml_doc *doc, ap_filter_t *output) { - int ns = dav_svn_find_ns(doc->namespaces, SVN_XML_NAMESPACE); + int ns; + dav_error *err; + + /* Path-based authorization: REPORT requires read access to the resource */ + err = dav_svn_check_access(resource->info->repos->repo_name, + resource->info->repos_path, + r, + svn_authz_read); + if (err) + return err; + + ns = dav_svn_find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (doc->root->ns == ns) { @@ -1408,7 +1429,17 @@ "DAV:activity-collection-set property.", SVN_DAV_ERROR_NAMESPACE, SVN_DAV_ERROR_TAG); - + + /* Path-based authorization: MKACTIVITY needs global write access + * to the repository. + */ + err = dav_svn_check_access(resource->info->repos->repo_name, + NULL, /* global repository access */ + resource->info->r, + svn_authz_write); + if (err) + return err; + err = dav_svn_create_activity(resource->info->repos, &txn_name, resource->pool); if (err != NULL)