You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@subversion.apache.org by st...@apache.org on 2013/10/08 02:43:33 UTC

svn commit: r1530121 - in /subversion/trunk/subversion/svnserve: cyrus_auth.c serve.c server.h

Author: stefan2
Date: Tue Oct  8 00:43:32 2013
New Revision: 1530121

URL: http://svn.apache.org/r1530121
Log:
Instead of evaluating the repos-global access settings from svnserve.conf
again and again, read it once and store the result in the respository_t.

* subversion/svnserve/server.h
  (repository_t): add members for repo-global access settings
  (get_access): drop

* subversion/svnserve/serve.c
  (get_access): new config reader utility
  (set_access): initialize new repository_t members
  (current_access
   send_mechs,
   auth,
   must_have_access): update / simplify using the new struct members
  (find_repos): ditto; initialize new struct members

* subversion/svnserve/cyrus_auth.c
  (cyrus_auth_request): update / simplify using the new struct members

Modified:
    subversion/trunk/subversion/svnserve/cyrus_auth.c
    subversion/trunk/subversion/svnserve/serve.c
    subversion/trunk/subversion/svnserve/server.h

Modified: subversion/trunk/subversion/svnserve/cyrus_auth.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/svnserve/cyrus_auth.c?rev=1530121&r1=1530120&r2=1530121&view=diff
==============================================================================
--- subversion/trunk/subversion/svnserve/cyrus_auth.c (original)
+++ subversion/trunk/subversion/svnserve/cyrus_auth.c Tue Oct  8 00:43:32 2013
@@ -285,7 +285,7 @@ svn_error_t *cyrus_auth_request(svn_ra_s
   svn_ra_svn__default_secprops(&secprops);
 
   /* Don't allow ANONYMOUS if a username is required. */
-  no_anonymous = needs_username || get_access(b, UNAUTHENTICATED) < required;
+  no_anonymous = needs_username || b->repository->anon_access < required;
   if (no_anonymous)
     secprops.security_flags |= SASL_SEC_NOANONYMOUS;
 

Modified: subversion/trunk/subversion/svnserve/serve.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/svnserve/serve.c?rev=1530121&r1=1530120&r2=1530121&view=diff
==============================================================================
--- subversion/trunk/subversion/svnserve/serve.c (original)
+++ subversion/trunk/subversion/svnserve/serve.c Tue Oct  8 00:43:32 2013
@@ -590,25 +590,47 @@ static svn_error_t *authz_commit_cb(svn_
   return authz_check_access(allowed, path, required, sb->server, pool);
 }
 
-
-enum access_type get_access(server_baton_t *b, enum authn_type auth)
+/* Return the access level specified for OPTION in CFG.  If no such
+ * setting exists, use DEF.  If READ_ONLY is set, unconditionally disable
+ * write access.
+ */
+static enum access_type
+get_access(svn_config_t *cfg,
+           const char *option,
+           const char *def,
+           svn_boolean_t read_only)
 {
-  const char *var = (auth == AUTHENTICATED) ? SVN_CONFIG_OPTION_AUTH_ACCESS :
-    SVN_CONFIG_OPTION_ANON_ACCESS;
-  const char *val, *def = (auth == AUTHENTICATED) ? "write" : "read";
   enum access_type result;
+  const char *val;
 
-  svn_config_get(b->repository->cfg, &val, SVN_CONFIG_SECTION_GENERAL, var,
-                 def);
+  svn_config_get(cfg, &val, SVN_CONFIG_SECTION_GENERAL, option, def);
   result = (strcmp(val, "write") == 0 ? WRITE_ACCESS :
             strcmp(val, "read") == 0 ? READ_ACCESS : NO_ACCESS);
-  return (result == WRITE_ACCESS && b->read_only) ? READ_ACCESS : result;
+
+  return result == WRITE_ACCESS && read_only ? READ_ACCESS : result;
 }
 
-static enum access_type current_access(server_baton_t *b)
+/* Set the *_ACCESS members in REPOSITORY according to the settings in
+ * CFG.  If READ_ONLY is set, unconditionally disable write access.
+ */
+static void
+set_access(repository_t *repository,
+           svn_config_t *cfg,
+           svn_boolean_t read_only)
+{
+  repository->auth_access = get_access(cfg, SVN_CONFIG_OPTION_AUTH_ACCESS,
+                                       "write", read_only);
+  repository->anon_access = get_access(cfg, SVN_CONFIG_OPTION_ANON_ACCESS,
+                                       "read", read_only);
+}
+
+/* Return the access level for the user in B.
+ */
+static enum access_type
+current_access(server_baton_t *b)
 {
-  return get_access(b,
-                    b->client_info->user ? AUTHENTICATED : UNAUTHENTICATED);
+  return b->client_info->user ? b->repository->auth_access
+                              : b->repository->anon_access;
 }
 
 /* Send authentication mechs for ACCESS_TYPE to the client.  If NEEDS_USERNAME
@@ -618,11 +640,11 @@ static svn_error_t *send_mechs(svn_ra_sv
                                server_baton_t *b, enum access_type required,
                                svn_boolean_t needs_username)
 {
-  if (!needs_username && get_access(b, UNAUTHENTICATED) >= required)
+  if (!needs_username && b->repository->anon_access >= required)
     SVN_ERR(svn_ra_svn__write_word(conn, pool, "ANONYMOUS"));
-  if (b->client_info->tunnel_user && get_access(b, AUTHENTICATED) >= required)
+  if (b->client_info->tunnel_user && b->repository->auth_access >= required)
     SVN_ERR(svn_ra_svn__write_word(conn, pool, "EXTERNAL"));
-  if (b->repository->pwdb && get_access(b, AUTHENTICATED) >= required)
+  if (b->repository->pwdb && b->repository->auth_access >= required)
     SVN_ERR(svn_ra_svn__write_word(conn, pool, "CRAM-MD5"));
   return SVN_NO_ERROR;
 }
@@ -692,7 +714,7 @@ static svn_error_t *auth(svn_ra_svn_conn
   const char *user;
   *success = FALSE;
 
-  if (get_access(b, AUTHENTICATED) >= required
+  if (b->repository->auth_access >= required
       && b->client_info->tunnel_user && strcmp(mech, "EXTERNAL") == 0)
     {
       if (*mecharg && strcmp(mecharg, b->client_info->tunnel_user) != 0)
@@ -704,7 +726,7 @@ static svn_error_t *auth(svn_ra_svn_conn
       return SVN_NO_ERROR;
     }
 
-  if (get_access(b, UNAUTHENTICATED) >= required
+  if (b->repository->anon_access >= required
       && strcmp(mech, "ANONYMOUS") == 0 && ! needs_username)
     {
       SVN_ERR(svn_ra_svn__write_tuple(conn, pool, "w()", "success"));
@@ -712,7 +734,7 @@ static svn_error_t *auth(svn_ra_svn_conn
       return SVN_NO_ERROR;
     }
 
-  if (get_access(b, AUTHENTICATED) >= required
+  if (b->repository->auth_access >= required
       && b->repository->pwdb && strcmp(mech, "CRAM-MD5") == 0)
     {
       SVN_ERR(svn_ra_svn_cram_server(conn, pool, b->repository->pwdb,
@@ -859,7 +881,7 @@ static svn_error_t *must_have_access(svn
      authz configuration again with a different user credentials than
      the first time round. */
   if (b->client_info->user == NULL
-      && get_access(b, AUTHENTICATED) >= req
+      && b->repository->auth_access >= req
       && (b->client_info->tunnel_user || b->repository->pwdb
           || b->repository->use_sasl))
     SVN_ERR(auth_request(conn, pool, b, req, TRUE));
@@ -3415,8 +3437,9 @@ static svn_error_t *find_repos(const cha
      that this doesn't take into account any authz configuration read
      above, because we can't know about access it grants until paths
      are given by the client. */
-  if (get_access(b, UNAUTHENTICATED) == NO_ACCESS
-      && (get_access(b, AUTHENTICATED) == NO_ACCESS
+  set_access(repository, repository->cfg, b->read_only);
+  if (repository->anon_access == NO_ACCESS
+      && (repository->auth_access == NO_ACCESS
           || (!b->client_info->tunnel_user && !repository->pwdb
               && !repository->use_sasl)))
     return error_create_and_log(SVN_ERR_RA_NOT_AUTHORIZED, NULL,

Modified: subversion/trunk/subversion/svnserve/server.h
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/svnserve/server.h?rev=1530121&r1=1530120&r2=1530121&view=diff
==============================================================================
--- subversion/trunk/subversion/svnserve/server.h (original)
+++ subversion/trunk/subversion/svnserve/server.h Tue Oct  8 00:43:32 2013
@@ -59,6 +59,10 @@ typedef struct repository_t {
   enum username_case_type username_case; /* Case-normalize the username? */
   svn_boolean_t use_sasl;  /* Use Cyrus SASL for authentication;
                               always false if SVN_HAVE_SASL not defined */
+
+  enum access_type auth_access; /* access granted to authenticated users */
+  enum access_type anon_access; /* access granted to annonymous users */
+  
 } repository_t;
 
 typedef struct client_info_t {
@@ -80,9 +84,6 @@ typedef struct server_baton_t {
   apr_pool_t *pool;
 } server_baton_t;
 
-
-enum access_type get_access(server_baton_t *b, enum authn_type auth);
-
 typedef struct serve_params_t {
   /* The virtual root of the repositories to serve.  The client URL
      path is interpreted relative to this root and is not allowed to

Re: svn commit: r1530121 - in /subversion/trunk/subversion/svnserve: cyrus_auth.c serve.c server.h

Posted by Branko Čibej <br...@wandisco.com>.

On 07.10.2013 17:43, stefan2@apache.org wrote:
> Author: stefan2
> Date: Tue Oct  8 00:43:32 2013
> New Revision: 1530121
>
> URL: http://svn.apache.org/r1530121
> Log:
> Instead of evaluating the repos-global access settings from svnserve.conf
> again and again, read it once and store the result in the respository_t.

Looks like after this change, any change in the global settings in
svnserve.conf will require the server to be restarted. That's a fairly
important change of behaviour.

-- Brane


-- 
Branko Čibej | Director of Subversion
WANdisco // Non-Stop Data
e. brane@wandisco.com