Project

General

Profile

Actions

Feature #11475

closed

Redmine.pm: Allow fallback to other Apache auth providers

Added by Yasin Al Farhad over 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Category:
SCM extra
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

The goal was to allow other auth modules to co-exist with Redmine.pm, and thus satisfy special case requests covering global administrative/anonymous requests in addition to those allowd by Redmine based on project relationships. I tried every other possible combinations of Apache directives to achieve this goal, but it looks like by returning AUTH_REQUIRED early in the process, Redmine.pm is becoming authoritative and preventing other modules, i.e. authn_file or authz_svn, to accept valid requests.

Replacing AUTH_REQUIRED with DECLINED seems to solve the problem:

http://www.redmine.org/projects/redmine/repository/revisions/9887/entry/trunk/extra/svn/Redmine.pm#L345

--- Redmine.pm.9887    2012-07-22 22:21:17.410411915 +0200
+++ Redmine.pm        2012-07-22 20:55:00.014411918 +0200
@@ -342,7 +342,8 @@
       return OK;
   } else {
       $r->note_auth_failure();
-      return AUTH_REQUIRED;
+#      return AUTH_REQUIRED;
+      return DECLINED;
   }
 }

However, I am not very confident about whether this will satisfy all cases and not break others. Comments and/or suggestions from relevant experts are welcomed and very much appreciated.

Quoting from http://perl.apache.org/docs/2.0/user/handlers/http.html#HTTP_Request_Cycle_Phases

Before discussing each handler in detail remember that if you use the stacked handlers feature all handlers in the chain will be run as long as they return Apache2::Const::OK or Apache2::Const::DECLINED...

Actions #1

Updated by Jean-Philippe Lang over 12 years ago

  • Category set to SCM extra
  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Target version set to 2.1.0
  • Resolution set to Fixed

Committed in r10281, thanks.

Actions #2

Updated by Raphael Kallensee about 12 years ago

I upgraded from Redmine 2.0.x to 2.1.x and I'm pretty sure this broke my (pretty much default) auth configuration (Ubuntu 10.04, Apache 2.2.14). When trying to authenticate for a Git ("dumb HTTP") repository, I got a HTTP 500 and Apache logged:

[Tue Oct 30 19:29:25 2012] [error] [client xxx.xxx.xxx.xxx] (9)Bad file descriptor: Could not open password file: (null)
[Tue Oct 30 19:29:16 2012] [error] Internal error: pcfg_openfile() called with NULL filename

This is the relevant part of my Apache virtual host configuration:

PerlLoadModule Apache::Redmine

## GIT

Alias /git /var/www/my.domain/git

<Location /git>
    DAV on

    AuthType Basic
    AuthName "Git" 
    Require valid-user

    Options +Indexes -ExecCGI -Includes
    php_admin_flag engine off

    PerlAccessHandler Apache::Authn::Redmine::access_handler
    PerlAuthenHandler Apache::Authn::Redmine::authen_handler

    RedmineDSN "DBI:mysql:database=redmine;host=localhost" 
    RedmineDbUser "redmine" 
    RedmineDbPass "password" 
</Location>

I got it working by adding

...
AuthName "Git" 
Require valid-user
AuthUserFile /dev/null # this was added to avoid the Apache error
...

But I still get some warnings in the Apache log, although authentication now works:

[Tue Oct 30 22:10:52 2012] [error] [client xxx.xxx.xxx.xxx] user xyz not found: /git/repo-name/info/refs

If it's not just me getting this behavior we should probably at least update the documentation.

Actions #3

Updated by Mike Stromer about 12 years ago

Raphael Kallensee, I had the same issue on Redmine 2.1.2

[Wed Oct 31 03:39:20 2012] [error] [client xxx.xxx.xxx.xxx] user USER not found: /git/info/refs
Actions #4

Updated by Mike Stromer about 12 years ago

I checked MYSQL log and I guess where is an issue with mysql query projects.identifier=NULL

 SELECT users.hashed_password, users.salt, users.auth_source_id, roles.permissions, projects.status FROM projects, users, roles WHERE users.login='USER' AND projects.identifier=NULL AND users.status=1 AND ( roles.id IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = users.id AND members.project_id = projects.id AND members.id = member_roles.member_id) OR (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1')) ) AND roles.permissions IS NOT NULL

Actions #5

Updated by Woody Huang almost 12 years ago

Mike Stromer wrote:

I checked MYSQL log and I guess where is an issue with mysql query projects.identifier=NULL

[...]

I got the same error under redmine2.2.2(with git 1.7.9), but projects.identifier= in MySQL log is the name of the git repos. I was wondering to modify the patch to get project identifier from the repos URL, while I realized use repos name as project identifier really make sense.

The only problem may be multi-repos under a project. Actually, the patch handlers it already, Redmine.pm comments as following:

A projet repository must be named with the projet identifier. In case
of multiple repositories for the same project, use the project identifier
and the repository identifier separated with a dot:

  /var/svn/foo
  /var/svn/foo.otherrepo
Actions

Also available in: Atom PDF