https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292010-04-06T15:54:09ZRedmineRedmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=156562010-04-06T15:54:09ZAnthony Paul
<ul><li><strong>File</strong> <a href="/attachments/3520">Redmine.pm.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3520/Redmine.pm.patch">Redmine.pm.patch</a> added</li><li><strong>File</strong> <a href="/attachments/3521">subversion_adapter.rb.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3521/subversion_adapter.rb.patch">subversion_adapter.rb.patch</a> added</li></ul><p>Here is a small patch for what I'm trying to do.<br />First of all, my apologies, I'm not a hacker... (and I'm not able to move the "defect" status to "patch" status.</p>
<p>First, I change Redmine.pm so we can go through authentication when the svn client has the same IP as the server. In many cases, it should mean that Redmine is trying to access to the SVN repository.</p>
<p>Then I modified subversion_adapter.rb so when Redmine is trying to display a private repository it checks if the current user is a member of this project.</p>
<p>It's obviously less safe. Please let me know if you have any suggestions.</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=156622010-04-06T17:58:39ZRadek Antoniuk
<ul></ul><p>Nice patch, although imho it is totally the wrong way to go.<br />Firstly, you don't have to change Redmine.pm because you can achieve the same via<br />order allow,deny<br />allow from 127.0.0.1</p>
<p>Satisfy Any<br />in your apache webdav conf of subversion server.</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=156632010-04-06T18:57:28ZAnthony Paul
<ul></ul><p>Hi and thank you for your comment!<br />As you can see in my post via the forum ( <a class="external" href="http://www.redmine.org/boards/2/topics/12645">http://www.redmine.org/boards/2/topics/12645</a> ), I tried this configuration:<br /><pre>Allow from 127.0.0.1 11.22.33.44 myserver.mydomain.fr ...
satisfy any</pre> but I was unsuccessful...<br />From my server prompt, an "svn list <a class="external" href="https://myserver.mydomain.fr/svn/myproject">https://myserver.mydomain.fr/svn/myproject</a>" was still asking me for login and password. That's why I patched Redmine.pm. However, maybe I missed something so I'll try again with a genuine Redmine.pm.</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=156842010-04-07T18:21:10ZRadek Antoniuk
<ul></ul><p>order allow,deny<br />or <br />order deny,allow<br />deny from all<br />allow from 127.0.0.1<br />allow from myserver.mydomain.fr</p>
<p>satisfy any</p>
<p>has to work.</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=156882010-04-08T06:54:08ZAnthony Paul
<ul></ul><p>Thank you for your help!<br />I tried alternative order since I used order allow,deny before, but I still have the same result... Redmine's log is complaining about<br />"No close tag for /lists/list" as before, and when I try:<br /><pre>root@myserver# svn list https://myserver.mydomain.fr/svn/project --non-interactive --trust-server-cert</pre><br />I still get<br /><pre>Could not authenticate to server: rejected Basic challenge (https://myserver.mydomain.fr)</pre></p>
<p>Maybe I'm really missing something obvious, but I can't find it out...<br />(Just to be sure, here is my modified conf:)<br /><pre>
PerlLoadModule Apache::Redmine
PerlLoadModule Authen::Simple::LDAP
<Location /svn>
DAV svn
SVNParentPath "/var/svn"
Satisfy any
PerlAccessHandler Apache::Authn::Redmine::access_handler
PerlAccessHandler Apache::Authn::Redmine::authen_handler
AuthType Basic
AuthName "SVN Repository"
AuthBasicAuthoritative off
<Limit GET PROPFIND OPTIONS REPORT>
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 11.22.33.44
Allow from myserver.mydomain.fr
Satisfy any
</Limit>
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
RedmineDSN "DBI:mysql:database=redmine_db;host=localhost"
RedmineDbUser "dbuser"
RedmineDbPass "dbpass"
</Location>
</pre></p>
<p>Thanks for your help..</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157012010-04-08T21:36:42ZRadek Antoniuk
<ul></ul><p>obviously.<br />you are using https. probably with a self-signed certificate.<br />so, you have to add the certificate to the trusted ones.</p>
<p>Please see <br /><a class="external" href="http://www.redmine.org/boards/2/topics/11896">http://www.redmine.org/boards/2/topics/11896</a><br />this will help you.</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157122010-04-09T09:10:06ZAnthony Paul
<ul></ul><p>Yes, I'm using a self-signed certificate however it doesn't seem to be the problem.<br />I've read many topics about it, and tried both options "--trust-server-cert" and "--config-dir" with a well .subversion directory created for my www-data user (as you can see in my forum post). Anyway, since I'm using now svn > 1.6, I think option "--trust-server-cert" should be sufficient.</p>
<p>More, if I disable SSL so I can join Redmine and SVN repositories through HTTP only, I still have this problem.</p>
<p>I thought my <Limit> directive wasn't read by Apache for any reason, but with further testing, I can confirm it is understood (ie: if I write a "deny from all" in this, everything is denied as expected).<br />Apache doc refers that the REPORT method isn't managed by <Limit>, I removed it with no more success.</p>
<p>I don't remember if I mentioned it before, but in case of a "public" project, everything work as expected. My problem occurs only for "private" project.<br />As soon as I make my project "private", an "svn list <a class="external" href="http://myserver.mydomain.fr/svn/private_project">http://myserver.mydomain.fr/svn/private_project</a>" from my server prompt asks me for password...</p>
<p>If you have the opportunity, could you try it with a private project on your own configuration if you still use SVN and <abbr title="S">HTTP</abbr>?</p>
<p>Thanks for your help again!</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157142010-04-09T11:25:42ZRadek Antoniuk
<ul></ul><p>All my projects are private.<br />And I don't see any connection between setting the project to private and the ability to invoke a shell command svn list (for example) without a password.</p>
<p>My advice, go to apache logs, and check what IP is trying to access the repository<br />and then allow from that ip.<br />You can also test<br />allow from any</p>
<p>if it works</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157192010-04-09T12:54:09ZAnthony Paul
<ul></ul><p>Thanks for your prompt reply!</p>
<p>Allow from any (or all) didn't change the behaviour.<br />Checking the log let me know that the server is queried with its own address (configured IP as 11.22.33.44 not 127.0.0.1) and thus I added it in the "Allow from" list. Additionaly, because I wasn't sure the svn client used this address, I checked it with tcpdump and it appears it also uses 11.22.33.44.</p>
<p>Because of the apache config:<br /><pre>
<Location /svn>
...
<Limit GET PROPFIND OPTIONS>
Order allow,deny
Allow from 127.0.0.1
Allow from 11.22.33.44
Allow from all
Satisfy any
Require valid-user
</Limit>
...
</pre></p>
<p>I guess using an svn client from 11.22.33.44 prompt should act like this:<br />if @IP == 11.22.33.44 then "allow access" <br />else "ask for a password"</p>
<p>That's what the subversion_adapter.rb does to get the xml output (actually, with more options like "svn info <a class="external" href="https://.">https://.</a>.. --non-interactive --xml").<br />Using this command line is more convenient for testing than refresh the redmine page on the "The entry or revision was not found in the repository" message and get not so pertinent informations in the log.</p>
<p>By the way, my log are always the same,<br />Redmine:<br /><pre>
Processing RepositoriesController#show (for 10.xx.xx.xx at 2010-04-09 10:35:53) [GET]
Parameters: {"action"=>"show", "id"=>"adminscript", "controller"=>"repositories"}
Error parsing svn output: #<REXML::ParseException: No close tag for /lists/list>
/usr/lib/ruby/1.8/rexml/parsers/treeparser.rb:28:in `parse'
... snip ...
/usr/lib/phusion_passenger/passenger-spawn-server:61
...
No close tag for /lists/list
Line:
Position:
Last 80 unconsumed characters:
Output was:
<?xml version="1.0"?>
<lists>
<list
path="https://myserver.mydomain.fr/svn/private_project">
Rendering template within layouts/base
Completed in 2376ms (View: 233, DB: 20) | 500 Internal Server Error [https://myserver.mydomain.fr/projects/private_project/repository]
</pre></p>
<p>And Apache:<br /><pre>
svn: OPTIONS of 'https://myserver.mydomain.fr/svn/private_project': authorization failed: Could not authenticate to server: rejected Basic challenge (https://myserver.mydomain.fr)</pre></p>
<p>(one more thing, I don't provide login/password in the settings / repository tab since that's what I want to avoid)</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157222010-04-09T13:29:01ZRadek Antoniuk
<ul></ul><p>Move the things out of <Limit>, to the <Location> and try then?</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157232010-04-09T13:57:43ZAnthony Paul
<ul></ul><p>Hi again,</p>
<p>Yeah, I had the same idea (and I'm confused I didn't think about it before).<br />I moved the <limit> so I have:<br /><pre>
<Location /svn>
DAV svn
SVNParentPath "/var/svn"
PerlAccessHandler Apache::Authn::Redmine::access_handler
PerlAccessHandler Apache::Authn::Redmine::authen_handler
AuthType Basic
AuthName "SVN Repository"
AuthBasicAuthoritative off
# Allow from all
Order allow,deny
Allow from 127.0.0.1
Allow from 10.x.x.x
Allow from myserver.mydomain.fr
Satisfy any
Require valid-user
# <LimitExcept GET PROPFIND OPTIONS REPORT>
# Require valid-user
# </LimitExcept>
RedmineDSN "DBI:mysql:database=redmine_db;host=localhost"
RedmineDbUser "..."
RedmineDbPass "..."
</Location>
</pre></p>
<p>I have the same result: Redmine still can't browse the repository, the server prompt still asks for password, but svn on a client keeps on working as expected.<br />Comment the LimitExcept doesn't change the behaviour as well.<br />Same messages in the logs.<br />Of course, I had to comment out the "Allow from all" to be able to checkout or commit from a remote client.</p>
<p>And as I said in the forum, I can't remove the "require valid-user" because I would have this message in Redmine error log:<br />[error] access to /svn/sandbox failed for 11.22.33.44, reason: No authentication has been configured<br />(it's a message from Redmine.pm)</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157242010-04-09T14:02:57ZRadek Antoniuk
<ul></ul><p>Interesting. Can you try hashing out the PerlAccessHandler too?</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157262010-04-09T14:35:24ZAnthony Paul
<ul></ul><p>Radek Antoniuk wrote:</p>
<blockquote>
<p>Interesting. Can you try hashing out the PerlAccessHandler too?</p>
</blockquote>
<p>hmmm... I'm not sure to know how to do this, sorry, I'm not a hacker and my Perl skills are not so high...<br />However, the result of this line:<br />my ($res, $redmine_pass) = $r->get_basic_auth_pw();</p>
<p>Give me a "401" in $res. It should mean "auth required".</p>
<p>Do you know how I could get more (interesting) infos?<br />Thanks for your help again and again!</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157272010-04-09T14:43:32ZRadek Antoniuk
<ul></ul><p>I meant... <br />comment out those two lines in <Location> :)</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157282010-04-09T15:08:12ZAnthony Paul
<ul></ul><p>aaaaaah, sorry..!<br />OK, I've commented them out, and well seen, it still asks me for a password at the server prompt and still doesn't display the repository from redmine.<br />However, what I tried is with a config conform with this howto: <a class="external" href="http://www.redmine.org/wiki/redmine/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl">http://www.redmine.org/wiki/redmine/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl</a></p>
<pre>
<Location /svn>
DAV svn
SVNParentPath "/var/svn"
Satisfy any
# PerlAccessHandler Apache::Authn::Redmine::access_handler
# PerlAccessHandler Apache::Authn::Redmine::authen_handler
AuthType Basic
AuthName "SVN Repository"
Order deny,allow
(1) Deny from all
<Limit GET PROPFIND OPTIONS REPORT>
Order allow,deny
Allow from 127.0.0.1
Allow from 11.22.33.44
Satisfy any
Require valid-user
</Limit>
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
database stuff...
</pre>
<p>At (1), if I change to a "Allow from all", then everything works as it should:<br />- svn doesn't prompt for a password when launched from the server<br />- redmine displays the repos<br />- remote client have to supply their password (though these passwords are not recognized because we commented out the perl module)</p>
<p>I don't understand why the "deny from all" in <location> is not overriden by the "allow from my.ip" in <limit>...</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157292010-04-09T15:16:06ZAnthony Paul
<ul></ul><p>oooops, sorry...<br />if I use the "allow from all" in <location>, then nobody is asked password to co/ci (both server or remote client),<br />but if I use "deny from all", everybody is asked.<br />sorry...</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=157302010-04-09T15:41:49ZAnthony Paul
<ul></ul><p>sorry again for multi-posting...<br />If I remove any "Allow from..." from <location>, it seems to work. ie:<br />no password asked from server prompt,<br />no password asked from client if it is a public project<br />password asked from client if it is private project.</p>
<p>However, as soon as I put back the perl handler in the conf, server starts to ask me password for private project, and more, password provided from client is not recognized which gives only this in the logs:<br /> - anthony [09/Apr/2010:17:39:25 +0200] "OPTIONS /svn/sandbox HTTP/1.1" 500 756 "-" "SVN/1.6.5 (r38866) neon/0.28.6" )<br />I have to add "allow from all" in <location> in order the client password is correctly recognized...</p>
<p>I'm turning crazy...</p>
<p>The best I can do is to let this <location>Allow from all, then use my Redmine.pm patch (I forgot to write it in the main post, but this patch works only if this <location>Allow from all is set)</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=158782010-04-14T08:49:25ZRadek Antoniuk
<ul></ul><p>Hey,</p>
<p>I've just configured my instance of Redmine to use<br /><a class="external" href="http://www.redmine.org/wiki/redmine/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl">http://www.redmine.org/wiki/redmine/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl</a><br />and with<br />allow from my.ip.of.redmine<br />satisfy any</p>
<p>and it works perfectly fine.</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=159792010-04-19T07:06:15ZAnthony Paul
<ul></ul><p>Thank you so much for having done those tests.<br />I also tried different config without success. Maybe the problem is because I use the redmine package on debian testing, though I tried with the redmine source tarball as well. The problem should come from my eyes... I'll try it again later...</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=182492010-07-12T19:49:48ZFelix Schäfer
<ul></ul><p>Can this be considered close as it is already handled in the docs by the additional "allow from IP" setting?</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=187942010-07-29T07:36:55ZAnthony Paul
<ul></ul><p>Actually, I still have the problem and have to use the patches I attached above... Maybe it's a debian testing issue since I can't figure out why I can't make it works with an "allow from ip"...</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=187962010-07-29T08:10:57ZFelix Schäfer
<ul></ul><p>Anthony Paul wrote:</p>
<blockquote>
<p>Actually, I still have the problem and have to use the patches I attached above... Maybe it's a debian testing issue since I can't figure out why I can't make it works with an "allow from ip"…</p>
</blockquote>
<p>The "allow from IP" setting is an apache setting and should make apache completely bypass any other authentication scheme defined in that portion of the apache config, so nothing that has to do with redmine here.</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=445042013-01-15T23:17:22ZMr Embedded
<ul></ul><p>I had this same problem where I was forced to add a username/password with https no matter if I:</p>
<ul>
<li>Accepted the certificate initially and used --config-dir</li>
<li>Used --trust-server-cert</li>
</ul>
<p>If I removed the 'Deny from All' like you did from the <location> tag it did work with no security.</p>
<p>My issue was in the /etc/host file. The apache logs were showing the hostname (not localhost or IP) was being used in the call. I had localhost, 127.0.0.1 and the fqdn as 'allow from' items but I needed to add the fqdn inside the /etc/hosts file and reference it to the local IP for this to work properly.</p>
<p>This was probably due to some funkyness with 1:1 NAT and some NAT reflection settings in use.</p> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=795472017-06-28T15:56:06ZToshi MARUYAMA
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/79547/diff?detail_id=62558">diff</a>)</li></ul> Redmine - Defect #5236: Can't browse SVN of private project w/o giving a login and pass in settingshttps://www.redmine.org/issues/5236?journal_id=795502017-06-28T15:57:38ZToshi MARUYAMA
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/11343">Defect #11343</a>: I'm solved svn connect https protocl</i> added</li></ul>