You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Lieven Govaerts <lg...@mobsol.be> on 2006/02/16 22:22:52 UTC
svnauthz-validate.c: Tool to validate authz files
Hi,
earlier this week I made the mistake to put a faulty svnaccess.conf file in
production on our server, with the result that none of our developers could
read or commit to the repository anymore ( all our rw access goes through
authz ). Promosing my collegues not to make the same mistake again, I want
to make sure I only put that file in production when it has been validated.
I searched ( and ask on irc ) for a tool to validate the authz file, but
apparently that didn't exist. So I wrote one in C ( based it on svnput.c ),
10 lines long, containing one single API call to svn_repos_authz_read. The
file is attached it to this email as svnauthz-validate.c.
It only works against trunk & svn 1.3, not for any older version of svn.
Maybe this file can be put in the contrib area, although I feel this should
be a built-in feature of one of the svn admin apps ( svnadmin/svnlook or
svnserve? ).
regards,
Lieven.
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 2/17/06, Lieven Govaerts <lg...@mobsol.be> wrote:
> On Fri, 2006-02-17 at 11:30 -0800, Garrett Rooney wrote:
>
> > Committed in r18504. Thanks.
> >
> > For the record, I made a few tweaks. First, you don't need to
> > explicitly call apr_terminate, we set up an atexit handler for it in
> > svn_cmdline_init. Second, I added a call to svn_handle_error2, since
> > it's useful to be able to tell the user what the actual error is. I
> > also cleaned up some formatting stuff, but nothing bug.
>
> Any particular reason you put this in tools/client-side? I'd thought it
> to be used at server-side almost exclusively.
Primarily the lack of a server-side directory at the moment ;-)
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Lieven Govaerts <lg...@mobsol.be>.
On Fri, 2006-02-17 at 11:30 -0800, Garrett Rooney wrote:
> Committed in r18504. Thanks.
>
> For the record, I made a few tweaks. First, you don't need to
> explicitly call apr_terminate, we set up an atexit handler for it in
> svn_cmdline_init. Second, I added a call to svn_handle_error2, since
> it's useful to be able to tell the user what the actual error is. I
> also cleaned up some formatting stuff, but nothing bug.
Any particular reason you put this in tools/client-side? I'd thought it
to be used at server-side almost exclusively.
> Thanks again!
You're welcome.
Lieven.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 2/17/06, Philip Martin <ph...@codematters.co.uk> wrote:
> tools/client-side isn't really correct as this is a server-side
> utility.
Ok, I'll move it into tools/server-side.
> It should be hooked into the build system via build.conf because a) we
> build things in contrib so we should certainly build things in the
> main tree, and b) the suggested command doesn't work on my system
> without `apr-1-config --cppflags` which would be supplied
> automatically if the build system was used.
I'll look into that.
> Could this be extended to call svn_repos_authz_check_access for a
> reponame/user/path given on the command line? That would allow
> access testing without having to try commits.
Sounds like a good idea. Patches welcome ;-)
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Philip Martin <ph...@codematters.co.uk>.
Garrett Rooney <ro...@electricjellyfish.net> writes:
> On 2/17/06, Lieven Govaerts <lg...@mobsol.be> wrote:
>> A new version of svnauthz-validate.c is attached.
>>
>> Changes:
>> - changed return values ( 0 when ok, 1 if not ok, 2 if any error )
>> - added collabnet license
>> - fixed linux build statement for build started in tools folder, changed
>> it to:
>> cc svnauthz-validate.c -o svnauthz-validate -I../subversion/include
>> -I../apr/include -I../apr-util/include -L/usr/local/lib -lsvn_repos-1
>> -lsvn_subr-1
>> - cleanup of pool and apr
>> - pass app.name to svn_cmdline_init
>
> Committed in r18504. Thanks.
>
> For the record, I made a few tweaks. First, you don't need to
> explicitly call apr_terminate, we set up an atexit handler for it in
> svn_cmdline_init. Second, I added a call to svn_handle_error2, since
> it's useful to be able to tell the user what the actual error is. I
> also cleaned up some formatting stuff, but nothing bug.
tools/client-side isn't really correct as this is a server-side
utility.
It should be hooked into the build system via build.conf because a) we
build things in contrib so we should certainly build things in the
main tree, and b) the suggested command doesn't work on my system
without `apr-1-config --cppflags` which would be supplied
automatically if the build system was used.
Could this be extended to call svn_repos_authz_check_access for a
reponame/user/path given on the command line? That would allow
access testing without having to try commits.
--
Philip Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 2/17/06, Lieven Govaerts <lg...@mobsol.be> wrote:
> A new version of svnauthz-validate.c is attached.
>
> Changes:
> - changed return values ( 0 when ok, 1 if not ok, 2 if any error )
> - added collabnet license
> - fixed linux build statement for build started in tools folder, changed
> it to:
> cc svnauthz-validate.c -o svnauthz-validate -I../subversion/include
> -I../apr/include -I../apr-util/include -L/usr/local/lib -lsvn_repos-1
> -lsvn_subr-1
> - cleanup of pool and apr
> - pass app.name to svn_cmdline_init
Committed in r18504. Thanks.
For the record, I made a few tweaks. First, you don't need to
explicitly call apr_terminate, we set up an atexit handler for it in
svn_cmdline_init. Second, I added a call to svn_handle_error2, since
it's useful to be able to tell the user what the actual error is. I
also cleaned up some formatting stuff, but nothing bug.
Thanks again!
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Lieven Govaerts <lg...@mobsol.be>.
A new version of svnauthz-validate.c is attached.
Changes:
- changed return values ( 0 when ok, 1 if not ok, 2 if any error )
- added collabnet license
- fixed linux build statement for build started in tools folder, changed
it to:
cc svnauthz-validate.c -o svnauthz-validate -I../subversion/include
-I../apr/include -I../apr-util/include -L/usr/local/lib -lsvn_repos-1
-lsvn_subr-1
- cleanup of pool and apr
- pass app.name to svn_cmdline_init
Lieven.
On Fri, 2006-02-17 at 10:58 +0000, Max Bowsher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lieven Govaerts wrote:
> > I suppose EXIT_SUCCESS = 0 & EXIT_FAILURE = 1?
>
> EXIT_SUCCESS == 0, but EXIT_FAILURE is simply defined as "non-zero" by
> SUSv3 - which is why it is necessary to not use them if you want to use
> the return value to communicate anything other than a boolean
> success/failure.
>
> Max.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Cygwin)
>
> iD8DBQFD9axcfFNSmcDyxYARAkljAKCQ1XYGU69cF39sdvpcCXAalN8PhgCfdSZD
> 82GM2I1uEEvMrw9xeQQ5x0E=
> =r/0D
> -----END PGP SIGNATURE-----
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Max Bowsher <ma...@ukf.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lieven Govaerts wrote:
> I suppose EXIT_SUCCESS = 0 & EXIT_FAILURE = 1?
EXIT_SUCCESS == 0, but EXIT_FAILURE is simply defined as "non-zero" by
SUSv3 - which is why it is necessary to not use them if you want to use
the return value to communicate anything other than a boolean
success/failure.
Max.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
iD8DBQFD9axcfFNSmcDyxYARAkljAKCQ1XYGU69cF39sdvpcCXAalN8PhgCfdSZD
82GM2I1uEEvMrw9xeQQ5x0E=
=r/0D
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Lieven Govaerts <lg...@mobsol.be>.
Max,
thanks for your input. I'll cleanup/fix the code where needed and send a new
version later today. I'll include the collabnet license as well.
Quoting Max Bowsher <ma...@ukf.net>:
> I'm inclined to put it under tools - it's small enough and useful enough
> that providing the greater level of maintenance implied by tools vs.
> contrib isn't going to be a problem.
>
> Though, I would like to see a few things fixed first:
>
> Compile command:
> Does not need apache include files or libraries.
> Does not need to link libsvn_client
> DOES need to link libsvn_repos and libsvn_subr
>
> Usage message:
> s/when/if/
> What does it return if content is not ok?
>
> Actually, it would be nice if it could return:
> 0 => Syntax OK
> 1 => Syntax Bad, no other error
> 2 => Operational error
> (Drop usage of the EXIT_SUCCESS|FAILURE defines entirely, since they
> don't really make sense unless you are using them exclusively.)
I suppose EXIT_SUCCESS = 0 & EXIT_FAILURE = 1?
> Should not pass "minimal_client" to svn_cmdline_init().
>
> Remove the very elementary comments inherited from minimal_client.
>
> Remove the "shouldn't I clean the pool object here" comment. Call
> svn_pool_destroy(pool); apr_terminate(); to illustrate good practices.
Ok, that's what I needed.
>
> Max.
Lieven.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Max Bowsher <ma...@ukf.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel Rall wrote:
> Thanks Lieven, looks neat. Should we stick this in the contrib area?
>
> - Dan
I'm inclined to put it under tools - it's small enough and useful enough
that providing the greater level of maintenance implied by tools vs.
contrib isn't going to be a problem.
Though, I would like to see a few things fixed first:
Compile command:
Does not need apache include files or libraries.
Does not need to link libsvn_client
DOES need to link libsvn_repos and libsvn_subr
Usage message:
s/when/if/
What does it return if content is not ok?
Actually, it would be nice if it could return:
0 => Syntax OK
1 => Syntax Bad, no other error
2 => Operational error
(Drop usage of the EXIT_SUCCESS|FAILURE defines entirely, since they
don't really make sense unless you are using them exclusively.)
Should not pass "minimal_client" to svn_cmdline_init().
Remove the very elementary comments inherited from minimal_client.
Remove the "shouldn't I clean the pool object here" comment. Call
svn_pool_destroy(pool); apr_terminate(); to illustrate good practices.
Max.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
iD8DBQFD9aGufFNSmcDyxYARAlZOAJ95nMml1Q+0yyhDK9u5x1D85aM37wCgkywO
qbFlr0mkm2x8SBVRxwHgSWs=
=59mc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Daniel Rall <dl...@collab.net>.
Thanks Lieven, looks neat. Should we stick this in the contrib area?
- Dan
On Fri, 17 Feb 2006, Lieven Govaerts wrote:
> You may put it under the CollabNet license.
>
> Lieven.
>
> > -----Original Message-----
> > From: rooneg@gmail.com [mailto:rooneg@gmail.com] On Behalf Of
> > Garrett Rooney
> >
> > I took a look at this, and it looks great, and I was about to
> > commit it (with some cleanups, nothing major though) but I
> > noticed that it doesn't specify a license... Did you intend
> > for it to be under the usual Subversion license? Something else?
RE: svnauthz-validate.c: Tool to validate authz files
Posted by Lieven Govaerts <lg...@mobsol.be>.
You may put it under the CollabNet license.
Lieven.
> -----Original Message-----
> From: rooneg@gmail.com [mailto:rooneg@gmail.com] On Behalf Of
> Garrett Rooney
>
> I took a look at this, and it looks great, and I was about to
> commit it (with some cleanups, nothing major though) but I
> noticed that it doesn't specify a license... Did you intend
> for it to be under the usual Subversion license? Something else?
>
> -garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnauthz-validate.c: Tool to validate authz files
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 2/16/06, Lieven Govaerts <lg...@mobsol.be> wrote:
> I searched ( and ask on irc ) for a tool to validate the authz file, but
> apparently that didn't exist. So I wrote one in C ( based it on svnput.c ),
> 10 lines long, containing one single API call to svn_repos_authz_read. The
> file is attached it to this email as svnauthz-validate.c.
> It only works against trunk & svn 1.3, not for any older version of svn.
>
> Maybe this file can be put in the contrib area, although I feel this should
> be a built-in feature of one of the svn admin apps ( svnadmin/svnlook or
> svnserve? ).
I took a look at this, and it looks great, and I was about to commit
it (with some cleanups, nothing major though) but I noticed that it
doesn't specify a license... Did you intend for it to be under the
usual Subversion license? Something else?
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org