contrib/subversion/subversion/libsvn_subr/config_auth.c

   1 /*
   2  * config_auth.c :  authentication files in the user config area
   3  *
   4  * ====================================================================
   5  *    Licensed to the Apache Software Foundation (ASF) under one
   6  *    or more contributor license agreements.  See the NOTICE file
   7  *    distributed with this work for additional information
   8  *    regarding copyright ownership.  The ASF licenses this file
   9  *    to you under the Apache License, Version 2.0 (the
  10  *    "License"); you may not use this file except in compliance
  11  *    with the License.  You may obtain a copy of the License at
  12  *
  13  *      http://www.apache.org/licenses/LICENSE-2.0
  14  *
  15  *    Unless required by applicable law or agreed to in writing,
  16  *    software distributed under the License is distributed on an
  17  *    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  18  *    KIND, either express or implied.  See the License for the
  19  *    specific language governing permissions and limitations
  20  *    under the License.
  21  * ====================================================================
  22  */
  23
  24
  25 \f
  26 #include "svn_dirent_uri.h"
  27 #include "svn_hash.h"
  28 #include "svn_io.h"
  29 #include "svn_pools.h"
  30 #include "config_impl.h"
  31
  32 #include "auth.h"
  33
  34 #include "svn_private_config.h"
  35
  36 #include "private/svn_auth_private.h"
  37
  38 /* Helper for svn_config_{read|write}_auth_data.  Return a path to a
  39    file within ~/.subversion/auth/ that holds CRED_KIND credentials
  40    within REALMSTRING.  If no path is available *PATH will be set to
  41    NULL. */
  42 svn_error_t *
  43 svn_auth__file_path(const char **path,
  44                     const char *cred_kind,
  45                     const char *realmstring,
  46                     const char *config_dir,
  47                     apr_pool_t *pool)
  48 {
  49   const char *authdir_path, *hexname;
  50   svn_checksum_t *checksum;
  51
  52   /* Construct the path to the directory containing the creds files,
  53      e.g. "~/.subversion/auth/svn.simple".  The last component is
  54      simply the cred_kind.  */
  55   SVN_ERR(svn_config_get_user_config_path(&authdir_path, config_dir,
  56                                           SVN_CONFIG__AUTH_SUBDIR, pool));
  57   if (authdir_path)
  58     {
  59       authdir_path = svn_dirent_join(authdir_path, cred_kind, pool);
  60
  61       /* Construct the basename of the creds file.  It's just the
  62          realmstring converted into an md5 hex string.  */
  63       SVN_ERR(svn_checksum(&checksum, svn_checksum_md5, realmstring,
  64                            strlen(realmstring), pool));
  65       hexname = svn_checksum_to_cstring(checksum, pool);
  66
  67       *path = svn_dirent_join(authdir_path, hexname, pool);
  68     }
  69   else
  70     *path = NULL;
  71
  72   return SVN_NO_ERROR;
  73 }
  74
  75
  76 svn_error_t *
  77 svn_config_read_auth_data(apr_hash_t **hash,
  78                           const char *cred_kind,
  79                           const char *realmstring,
  80                           const char *config_dir,
  81                           apr_pool_t *pool)
  82 {
  83   svn_node_kind_t kind;
  84   const char *auth_path;
  85
  86   *hash = NULL;
  87
  88   SVN_ERR(svn_auth__file_path(&auth_path, cred_kind, realmstring, config_dir,
  89                               pool));
  90   if (! auth_path)
  91     return SVN_NO_ERROR;
  92
  93   SVN_ERR(svn_io_check_path(auth_path, &kind, pool));
  94   if (kind == svn_node_file)
  95     {
  96       svn_stream_t *stream;
  97       svn_string_t *stored_realm;
  98
  99       SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
 100                 _("Unable to open auth file for reading"));
 101
 102       *hash = apr_hash_make(pool);
 103
 104       SVN_ERR_W(svn_hash_read2(*hash, stream, SVN_HASH_TERMINATOR, pool),
 105                 apr_psprintf(pool, _("Error parsing '%s'"),
 106                              svn_dirent_local_style(auth_path, pool)));
 107
 108       stored_realm = svn_hash_gets(*hash, SVN_CONFIG_REALMSTRING_KEY);
 109
 110       if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0)
 111         *hash = NULL; /* Hash collision, or somebody tampering with storage */
 112
 113       SVN_ERR(svn_stream_close(stream));
 114     }
 115
 116   return SVN_NO_ERROR;
 117 }
 118
 119
 120 svn_error_t *
 121 svn_config_write_auth_data(apr_hash_t *hash,
 122                            const char *cred_kind,
 123                            const char *realmstring,
 124                            const char *config_dir,
 125                            apr_pool_t *pool)
 126 {
 127   apr_file_t *authfile = NULL;
 128   svn_stream_t *stream;
 129   const char *auth_path;
 130
 131   SVN_ERR(svn_auth__file_path(&auth_path, cred_kind, realmstring, config_dir,
 132                               pool));
 133   if (! auth_path)
 134     return svn_error_create(SVN_ERR_NO_AUTH_FILE_PATH, NULL,
 135                             _("Unable to locate auth file"));
 136
 137   /* Add the realmstring to the hash, so programs (or users) can
 138      verify exactly which set of credentials this file holds.  */
 139   svn_hash_sets(hash, SVN_CONFIG_REALMSTRING_KEY,
 140                 svn_string_create(realmstring, pool));
 141
 142   SVN_ERR_W(svn_io_file_open(&authfile, auth_path,
 143                              (APR_WRITE | APR_CREATE | APR_TRUNCATE
 144                               | APR_BUFFERED),
 145                              APR_OS_DEFAULT, pool),
 146             _("Unable to open auth file for writing"));
 147
 148   stream = svn_stream_from_aprfile2(authfile, FALSE, pool);
 149   SVN_ERR_W(svn_hash_write2(hash, stream, SVN_HASH_TERMINATOR, pool),
 150             apr_psprintf(pool, _("Error writing hash to '%s'"),
 151                          svn_dirent_local_style(auth_path, pool)));
 152
 153   SVN_ERR(svn_stream_close(stream));
 154
 155   /* To be nice, remove the realmstring from the hash again, just in
 156      case the caller wants their hash unchanged. */
 157   svn_hash_sets(hash, SVN_CONFIG_REALMSTRING_KEY, NULL);
 158
 159   return SVN_NO_ERROR;
 160 }
 161
 162
 163 svn_error_t *
 164 svn_config_walk_auth_data(const char *config_dir,
 165                           svn_config_auth_walk_func_t walk_func,
 166                           void *walk_baton,
 167                           apr_pool_t *scratch_pool)
 168 {
 169   int i;
 170   apr_pool_t *iterpool;
 171   svn_boolean_t finished = FALSE;
 172   const char *cred_kinds[] =
 173     {
 174       SVN_AUTH_CRED_SIMPLE,
 175       SVN_AUTH_CRED_USERNAME,
 176       SVN_AUTH_CRED_SSL_CLIENT_CERT,
 177       SVN_AUTH_CRED_SSL_CLIENT_CERT_PW,
 178       SVN_AUTH_CRED_SSL_SERVER_TRUST,
 179       NULL
 180     };
 181
 182   iterpool = svn_pool_create(scratch_pool);
 183   for (i = 0; cred_kinds[i]; i++)
 184     {
 185       const char *item_path;
 186       const char *dir_path;
 187       apr_hash_t *nodes;
 188       svn_error_t *err;
 189       apr_pool_t *itempool;
 190       apr_hash_index_t *hi;
 191
 192       svn_pool_clear(iterpool);
 193
 194       if (finished)
 195         break;
 196
 197       SVN_ERR(svn_auth__file_path(&item_path, cred_kinds[i], "!", config_dir,
 198                                   iterpool));
 199
 200       dir_path = svn_dirent_dirname(item_path, iterpool);
 201
 202       err = svn_io_get_dirents3(&nodes, dir_path, TRUE, iterpool, iterpool);
 203       if (err)
 204         {
 205           if (!APR_STATUS_IS_ENOENT(err->apr_err)
 206               && !SVN__APR_STATUS_IS_ENOTDIR(err->apr_err))
 207             return svn_error_trace(err);
 208
 209           svn_error_clear(err);
 210           continue;
 211         }
 212
 213       itempool = svn_pool_create(iterpool);
 214       for (hi = apr_hash_first(iterpool, nodes); hi; hi = apr_hash_next(hi))
 215         {
 216           svn_io_dirent2_t *dirent = svn__apr_hash_index_val(hi);
 217           svn_stream_t *stream;
 218           apr_hash_t *creds_hash;
 219           const svn_string_t *realm;
 220           svn_boolean_t delete_file = FALSE;
 221
 222           if (finished)
 223             break;
 224
 225           if (dirent->kind != svn_node_file)
 226             continue;
 227
 228           svn_pool_clear(itempool);
 229
 230           item_path = svn_dirent_join(dir_path, svn__apr_hash_index_key(hi),
 231                                       itempool);
 232
 233           err = svn_stream_open_readonly(&stream, item_path,
 234                                          itempool, itempool);
 235           if (err)
 236             {
 237               /* Ignore this file. There are no credentials in it anyway */
 238               svn_error_clear(err);
 239               continue;
 240             }
 241
 242           creds_hash = apr_hash_make(itempool);
 243           err = svn_hash_read2(creds_hash, stream,
 244                                SVN_HASH_TERMINATOR, itempool);
 245           err = svn_error_compose_create(err, svn_stream_close(stream));
 246           if (err)
 247             {
 248               /* Ignore this file. There are no credentials in it anyway */
 249               svn_error_clear(err);
 250               continue;
 251             }
 252
 253           realm = svn_hash_gets(creds_hash, SVN_CONFIG_REALMSTRING_KEY);
 254           if (! realm)
 255             continue; /* Not an auth file */
 256
 257           err = walk_func(&delete_file, walk_baton, cred_kinds[i],
 258                           realm->data, creds_hash, itempool);
 259           if (err && err->apr_err == SVN_ERR_CEASE_INVOCATION)
 260             {
 261               svn_error_clear(err);
 262               err = SVN_NO_ERROR;
 263               finished = TRUE;
 264             }
 265           SVN_ERR(err);
 266
 267           if (delete_file)
 268             {
 269               /* Delete the file on disk */
 270               SVN_ERR(svn_io_remove_file2(item_path, TRUE, itempool));
 271             }
 272         }
 273     }
 274
 275   svn_pool_destroy(iterpool);
 276   return SVN_NO_ERROR;
 277 }