Feature #11475

Redmine.pm: Allow fallback to other Apache auth providers

Added by Yasin Al Farhad over 5 years ago. Updated almost 5 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:SCM extra
Target version:2.1.0
Resolution:Fixed

Description

The goal was to allow other auth modules to co-exist with Redmine.pm, and thus satisfy special case requests covering global administrative/anonymous requests in addition to those allowd by Redmine based on project relationships. I tried every other possible combinations of Apache directives to achieve this goal, but it looks like by returning AUTH_REQUIRED early in the process, Redmine.pm is becoming authoritative and preventing other modules, i.e. authn_file or authz_svn, to accept valid requests.

Replacing AUTH_REQUIRED with DECLINED seems to solve the problem:

http://www.redmine.org/projects/redmine/repository/revisions/9887/entry/trunk/extra/svn/Redmine.pm#L345

--- Redmine.pm.9887    2012-07-22 22:21:17.410411915 +0200
+++ Redmine.pm        2012-07-22 20:55:00.014411918 +0200
@@ -342,7 +342,8 @@
       return OK;
   } else {
       $r->note_auth_failure();
-      return AUTH_REQUIRED;
+#      return AUTH_REQUIRED;
+      return DECLINED;
   }
 }

However, I am not very confident about whether this will satisfy all cases and not break others. Comments and/or suggestions from relevant experts are welcomed and very much appreciated.

Quoting from http://perl.apache.org/docs/2.0/user/handlers/http.html#HTTP_Request_Cycle_Phases

Before discussing each handler in detail remember that if you use the stacked handlers feature all handlers in the chain will be run as long as they return Apache2::Const::OK or Apache2::Const::DECLINED...

Associated revisions

Revision 10281
Added by Jean-Philippe Lang about 5 years ago

Redmine.pm: Allow fallback to other Apache auth providers (#11475).

Contributed by Yasin Al Farhad.

History

#1 Updated by Jean-Philippe Lang about 5 years ago

  • Category set to SCM extra
  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Target version set to 2.1.0
  • Resolution set to Fixed

Committed in r10281, thanks.

#2 Updated by Raphael Kallensee about 5 years ago

I upgraded from Redmine 2.0.x to 2.1.x and I'm pretty sure this broke my (pretty much default) auth configuration (Ubuntu 10.04, Apache 2.2.14). When trying to authenticate for a Git ("dumb HTTP") repository, I got a HTTP 500 and Apache logged:

[Tue Oct 30 19:29:25 2012] [error] [client xxx.xxx.xxx.xxx] (9)Bad file descriptor: Could not open password file: (null)
[Tue Oct 30 19:29:16 2012] [error] Internal error: pcfg_openfile() called with NULL filename

This is the relevant part of my Apache virtual host configuration:

PerlLoadModule Apache::Redmine

## GIT

Alias /git /var/www/my.domain/git

<Location /git>
    DAV on

    AuthType Basic
    AuthName "Git" 
    Require valid-user

    Options +Indexes -ExecCGI -Includes
    php_admin_flag engine off

    PerlAccessHandler Apache::Authn::Redmine::access_handler
    PerlAuthenHandler Apache::Authn::Redmine::authen_handler

    RedmineDSN "DBI:mysql:database=redmine;host=localhost" 
    RedmineDbUser "redmine" 
    RedmineDbPass "password" 
</Location>

I got it working by adding

...
AuthName "Git" 
Require valid-user
AuthUserFile /dev/null # this was added to avoid the Apache error
...

But I still get some warnings in the Apache log, although authentication now works:

[Tue Oct 30 22:10:52 2012] [error] [client xxx.xxx.xxx.xxx] user xyz not found: /git/repo-name/info/refs

If it's not just me getting this behavior we should probably at least update the documentation.

#3 Updated by Mike Stromer about 5 years ago

Raphael Kallensee, I had the same issue on Redmine 2.1.2

[Wed Oct 31 03:39:20 2012] [error] [client xxx.xxx.xxx.xxx] user USER not found: /git/info/refs

#4 Updated by Mike Stromer about 5 years ago

I checked MYSQL log and I guess where is an issue with mysql query projects.identifier=NULL

 SELECT users.hashed_password, users.salt, users.auth_source_id, roles.permissions, projects.status FROM projects, users, roles WHERE users.login='USER' AND projects.identifier=NULL AND users.status=1 AND ( roles.id IN (SELECT member_roles.role_id FROM members, member_roles WHERE members.user_id = users.id AND members.project_id = projects.id AND members.id = member_roles.member_id) OR (roles.builtin=1 AND cast(projects.is_public as CHAR) IN ('t', '1')) ) AND roles.permissions IS NOT NULL

#5 Updated by Woody Huang almost 5 years ago

Mike Stromer wrote:

I checked MYSQL log and I guess where is an issue with mysql query projects.identifier=NULL

[...]

I got the same error under redmine2.2.2(with git 1.7.9), but projects.identifier= in MySQL log is the name of the git repos. I was wondering to modify the patch to get project identifier from the repos URL, while I realized use repos name as project identifier really make sense.

The only problem may be multi-repos under a project. Actually, the patch handlers it already, Redmine.pm comments as following:

A projet repository must be named with the projet identifier. In case
of multiple repositories for the same project, use the project identifier
and the repository identifier separated with a dot:

  /var/svn/foo
  /var/svn/foo.otherrepo

Also available in: Atom PDF