[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

propositionl: patching mod_authz_svn to be used as an authz provider for apache 2.4

From: Francisco L Fernandez Tortosa <fco.luis.fdez_at_es.ibm.com>
Date: Wed, 23 Jan 2019 10:42:55 +0000


I am involved in a customer project to replace CVS with SVN. SVN was
chosen against more popular alternatives like git, because it is a free,
open-source, mature and, this was the main point, centralized version
control system. Repositories are to be accessed through https protocol,
served by apache httpd server 2.4. Some features of the actual CVS service
had to be ported to the SVN setup. For example, normal users shouldn't be
able to create top (first) level folders and files. The straight forward
to implement that requisite was through path access cheking. But activate
mod_authz_svn implies breaking any other authz module, like for example
mod_authnz_ldap, required for us to control repository access based on
LDAP group membership, or having true read only service accounts for
Redmine, to have just two examples. Looking at the source code I have
found that mod_authz_svn is coded to support apache 2.2 authn / authz
instead of native 2.4 model. As I didn't consider it a major effort, I
have dedicated a few hours to analyze and patch the code, resulting in a
functional 2.4 authz provider. This way it can seamless combine with other
authz providers like in this example:

svn01:~/src/subversion-1.10.0/source/subversion-1.10.0 # cat
<IfModule mod_dav_svn.c>

SetEnvif Request_URI ^/repos/test Repo_test=1
CustomLog /svn/logs/repos/test/access.log "%h %t - %{SVN-REPOS-NAME}e -
%u - %{SVN-ACTION}e" env=Repo_test
<Location "/repos/test">
    DAV svn
    SVNPath /svn/repos/test
    AuthzSVNAccessFile /svn/config/auth/accessfile-test
    SVNReposName "Repositorio de TEST"
    AuthzSVNAuthoritative Off
    AuthzSVNAnonymous Off
    AuthMerging And
      Require control-point "GuardiasRedes"
      Require control-point "Administradores Servidores Horizontales"
      Require svnpathaccess "Granted"
svn01:~/src/subversion-1.10.0/source/subversion-1.10.0 #

The "Granted" argument to the "require svnpathaccess" line for the
provider is just a placeholder / syntax sugar as all the info that the
provider needs is provided through the directory level clauses
AuthzSVNAccessFile, SVNReposName... etc.

The patched code suits our needs, but we are very concerned about support
and maintenance. Would it be possible for the SVN dev team to integrate in
the official code a patch like this and provide the module full apache 2.4

Attached goes the patch for your consideration. It is written against
1.10 code. Perhaps you should correct some white spaces in the patch to
apply cleanly because security restrictions at the customer don't allow
the employes or subcontractors to send any type mail attachments, and I
had to copy it in the body.

Thanks in advance

Saludos / Regards

Francisco L. Fernndez Tortosa
IBM GS Spain - GTS Infrastructure Services Projects
Linux & open source services
Delivery Infrastructure Architect
email: fco.luis.fdez_at_es.ibm.com
IBM Global Services Espaa, S.A.
Mar Adritico, 2, 
28830 San Fernando de Henares (Madrid)
Registro Mercantil de Madrid, Folio 49; Tomo 6430; Hoja M-104.742
CIF A80-599459
Slo conozco dos tipos de personas razonables: las que aman a Dios de todo 
corazn porque lo conocen, y las que lo buscan de todo corazn porque no 
lo conocen.
                                                  Blas Pascal
Two things are infinite: the universe and human stupidity; and I'm not 
sure about the universe.
                                                  Albert Einstein
Salvo indicado de otro modo ms arriba / Unless stated otherwise above:
International Business Machines, S.A.
Santa Hortensia, 26-28, 28002 Madrid
Registro Mercantil de Madrid; Folio 1; Tomo 1525; Hoja M-28146
CIF A28-010791

Received on 2019-01-23 11:52:33 CET

This is an archived mail posted to the Subversion Dev mailing list.