RE: Check Path based authorization

Hi Brane,
well after testing the tool does not actually do what i would like. But it is giving me a starting point / work around.
I tested the tool with Visualsvn Server on windows

Steps to reproduce
1) configure basic windows authentication

2) grant" rw" access to the repository root path for AD group
        Visualsvn server places the objectSid S-1-1-11-111111111-111111111-11111111-11111 of the group in the VisualSVN-WinAuthz.ini file of the repository

3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
  Where username is a member of the AD group objectSid S-1-1-11-111111111-111111111-11111111-11111
 Result no

But
4) svnauthz.exe accessof --username S-1-1-11-111111111-111111111-11111111-11111 22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
Gives "rw"

This is not what I am looking for.

I could probably use some ldap query in order to find out the groups where user S-2--- is member of and test these against the svn file, I personally don't like ldap queries but if needed I will stick with that.

So I am seeking for better ideas... or if anybody already did the job of cycling through ones user AD groups recursively... calling svnauthz for each of the groups I would offer some beer ...

regards
Thomas

-----Original Message-----
From: [ext] Stuempfig, Thomas [mailto:thomas.stuempfig_at_siemens.com]
Sent: Dienstag, 11. Dezember 2018 17:22
To: Branko Čibej <brane_at_apache.org>; users_at_subversion.apache.org
Subject: RE: Check Path based authorization

Hi Brane,
thank you for the quick response. This is probably what I would seek for. I'll test it and will come back with my findings.

Best regards
Thomas

-----Original Message-----
From: Branko Čibej [mailto:brane_at_apache.org]
Sent: Dienstag, 11. Dezember 2018 11:00
To: users_at_subversion.apache.org
Subject: Re: Check Path based authorization

On 11.12.2018 10:24, Stuempfig, Thomas wrote:
> Hi all,
> We have a large organization many projects and quite a bit of history (10years) with one of the repos… and after a while path based authorization becomes quite difficult.
> I would like to ask if it is possible as an admin to check path based authorization for a user x (ldap).
>
> It would be great if one could give (“none”,”rw”,”r”) or alike for path.
> Kind executing a call like the call below as admin.
>
> getactiveprivs usertocheck
> http(s)://server.domain.com//svn/myproject/branches/branch_dev/
>
> I mean this is the core, there could be several variations of this call. Get privs of ldap group members … as different members belong to different other groups each of them have possibly different access rights. It would be really great to have some table of active priviledges.

Is the 'svnauthz' tool not good enough? It's usually installed separately from the core binaries, in some 'subversion-tools' package, but it's intended for exactly this kind of test.

-- Brane

$ svnauthz accessof --help
accessof: Print or test the permissions set by an authz file.
usage: 1. svnauthz accessof TARGET
       2. svnauthz accessof -t TXN REPOS_PATH FILE_PATH

  1. Prints the access of USER to PATH based on authorization file at TARGET.
     TARGET can be a path to a file or an absolute file:// URL to an authz
     file in a repository, but cannot be a repository relative URL (^/).

  2. Prints the access of USER to PATH based on authz file at FILE_PATH in the
     transaction TXN in the repository at REPOS_PATH.

  USER is the argument to the --username option; if that option is not
  provided, then access of an anonymous user will be printed or tested.

  PATH is the argument to the --path option; if that option is not provided,
  the maximal access to any path in the repository will be considered.

Outputs one of the following:
     rw write access (which also implies read)
      r read access
     no no access

Returns:
    0 when syntax is OK and '--is' argument (if any) matches.
    1 when syntax is invalid.
    2 operational error
    3 when '--is' argument doesn't match

Valid options:
  -t [--transaction] ARG : transaction id
  --username ARG : username to check access of
  --path ARG : path within repository to check access of
  --repository ARG : repository authz name
  --is ARG : instead of outputting, test if the access is
                             exactly ARG
                             ARG can be one of the following values:
                                rw write access (which also implies read)
                                 r read-only access
                                no no access
  --groups-file ARG : use the groups from file ARG
  -R [--recursive] : determine recursive access to PATH

-----------------
Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564
-----------------
Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564
Received on 2018-12-11 18:40:46 CET