On the 1.7.x, 1.8.x and 1.9.x branches: Cherry-pick r1692798 and 1692799 from trunk.
git-svn-id: https://svn.apache.org/repos/asf/subversion/branches/1.7.x@1692801 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/Makefile.in b/Makefile.in
index bab4577..b027a8d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -316,6 +316,7 @@
done
APXS = @APXS@
+HTTPD_VERSION = @HTTPD_VERSION@
PYTHON = @PYTHON@
PERL = @PERL@
@@ -463,6 +464,9 @@
if test "$(HTTP_LIBRARY)" != ""; then \
flags="--http-library $(HTTP_LIBRARY) $$flags"; \
fi; \
+ if test "$(HTTPD_VERSION)" != ""; then \
+ flags="--httpd-version $(HTTPD_VERSION) $$flags"; \
+ fi; \
if test "$(SERVER_MINOR_VERSION)" != ""; then \
flags="--server-minor-version $(SERVER_MINOR_VERSION) $$flags"; \
fi; \
diff --git a/build/ac-macros/apache.m4 b/build/ac-macros/apache.m4
index c5c8535..f863997 100644
--- a/build/ac-macros/apache.m4
+++ b/build/ac-macros/apache.m4
@@ -85,6 +85,20 @@
AC_MSG_RESULT(no - Unable to locate $APXS_INCLUDE/mod_dav.h)
APXS=""
fi
+ HTTPD="`$APXS -q sbindir`/`$APXS -q PROGNAME`"
+ if ! test -e $HTTPD ; then
+ HTTPD="`$APXS -q bindir`/`$APXS -q PROGNAME`"
+ fi
+ HTTPD_VERSION=["`$HTTPD -v | $SED -e 's@^.*/\([0-9.]*\)\(.*$\)@\1@ ; 1q'`"]
+ AC_ARG_ENABLE(broken-httpd-auth,
+ AS_HELP_STRING([--enable-broken-httpd-auth],
+ [Allow building against httpd 2.4 with broken auth]),
+ [broken_httpd_auth=$enableval],[broken_httpd_auth=no])
+ if test "$enable_broken_httpd_auth" = "yes"; then
+ AC_MSG_NOTICE([Building with broken httpd auth])
+ AC_DEFINE(SVN_ALLOW_BROKEN_HTTPD_AUTH, 1,
+ [Defined to allow building against httpd 2.4 with broken auth])
+ fi
else
AC_MSG_RESULT(no)
fi
@@ -178,6 +192,7 @@
AC_SUBST(APACHE_LDFLAGS)
AC_SUBST(APACHE_INCLUDES)
AC_SUBST(APACHE_LIBEXECDIR)
+AC_SUBST(HTTPD_VERSION)
# there aren't any flags that interest us ...
#if test -n "$APXS" && test "$APXS" != "no"; then
diff --git a/build/run_tests.py b/build/run_tests.py
index 96de5cb..a5585ec 100755
--- a/build/run_tests.py
+++ b/build/run_tests.py
@@ -29,6 +29,7 @@
[--fs-type=<fs-type>] [--fsfs-packing] [--fsfs-sharding=<n>]
[--list] [--milestone-filter=<regex>] [--mode-filter=<type>]
[--server-minor-version=<version>]
+ [--httpd-version=<version>]
[--config-file=<file>]
<abs_srcdir> <abs_builddir>
<prog ...>
@@ -81,7 +82,7 @@
cleanup=None, enable_sasl=None, parallel=None, config_file=None,
fsfs_sharding=None, fsfs_packing=None,
list_tests=None, svn_bin=None, mode_filter=None,
- milestone_filter=None):
+ milestone_filter=None, httpd_version=None):
'''Construct a TestHarness instance.
ABS_SRCDIR and ABS_BUILDDIR are the source and build directories.
@@ -130,6 +131,7 @@
self.svn_bin = svn_bin
self.mode_filter = mode_filter
self.log = None
+ self.httpd_version = httpd_version
if not sys.stdout.isatty() or sys.platform == 'win32':
TextColors.disable()
@@ -414,6 +416,8 @@
svntest.main.options.fsfs_packing = self.fsfs_packing
if self.mode_filter is not None:
svntest.main.options.mode_filter = self.mode_filter
+ if self.httpd_version is not None:
+ svntest.main.options.httpd_version = self.httpd_version
svntest.main.options.srcdir = self.srcdir
@@ -562,7 +566,7 @@
'fsfs-packing', 'fsfs-sharding=',
'enable-sasl', 'parallel', 'config-file=',
'log-to-stdout', 'list', 'milestone-filter=',
- 'mode-filter='])
+ 'mode-filter=', 'httpd-version='])
except getopt.GetoptError:
args = []
@@ -572,9 +576,10 @@
base_url, fs_type, verbose, cleanup, enable_sasl, http_library, \
server_minor_version, fsfs_sharding, fsfs_packing, parallel, \
- config_file, log_to_stdout, list_tests, mode_filter, milestone_filter= \
+ config_file, log_to_stdout, list_tests, mode_filter, milestone_filter, \
+ httpd_version = \
None, None, None, None, None, None, None, None, None, None, None, \
- None, None, None, None
+ None, None, None, None, None
for opt, val in opts:
if opt in ['-u', '--url']:
base_url = val
@@ -606,6 +611,8 @@
milestone_filter = val
elif opt in ['--mode-filter']:
mode_filter = val
+ elif opt in ['--httpd-version']:
+ httpd_version = val
else:
raise getopt.GetoptError
@@ -620,7 +627,8 @@
base_url, fs_type, http_library, server_minor_version,
verbose, cleanup, enable_sasl, parallel, config_file,
fsfs_sharding, fsfs_packing, list_tests,
- mode_filter=mode_filter, milestone_filter=milestone_filter)
+ mode_filter=mode_filter, milestone_filter=milestone_filter,
+ httpd_version=httpd_version)
failed = th.run(args[2:])
if failed:
diff --git a/subversion/libsvn_repos/rev_hunt.c b/subversion/libsvn_repos/rev_hunt.c
index 5d8331d..281b61a 100644
--- a/subversion/libsvn_repos/rev_hunt.c
+++ b/subversion/libsvn_repos/rev_hunt.c
@@ -721,23 +721,6 @@
if (! prev_path)
break;
- if (authz_read_func)
- {
- svn_boolean_t readable;
- svn_fs_root_t *tmp_root;
-
- SVN_ERR(svn_fs_revision_root(&tmp_root, fs, revision, currpool));
- SVN_ERR(authz_read_func(&readable, tmp_root, path,
- authz_read_baton, currpool));
- if (! readable)
- {
- svn_pool_destroy(lastpool);
- svn_pool_destroy(currpool);
-
- return SVN_NO_ERROR;
- }
- }
-
/* Assign the current path to all younger revisions until we reach
the copy target rev. */
while ((revision_ptr < revision_ptr_end)
@@ -760,6 +743,20 @@
path = prev_path;
revision = prev_rev;
+ if (authz_read_func)
+ {
+ svn_boolean_t readable;
+ SVN_ERR(svn_fs_revision_root(&root, fs, revision, currpool));
+ SVN_ERR(authz_read_func(&readable, root, path,
+ authz_read_baton, currpool));
+ if (!readable)
+ {
+ svn_pool_destroy(lastpool);
+ svn_pool_destroy(currpool);
+ return SVN_NO_ERROR;
+ }
+ }
+
/* Clear last pool and switch. */
svn_pool_clear(lastpool);
tmppool = lastpool;
diff --git a/subversion/mod_authz_svn/mod_authz_svn.c b/subversion/mod_authz_svn/mod_authz_svn.c
index dc34d4d..3b47d56 100644
--- a/subversion/mod_authz_svn/mod_authz_svn.c
+++ b/subversion/mod_authz_svn/mod_authz_svn.c
@@ -48,6 +48,23 @@
#include "svn_dirent_uri.h"
#include "private/svn_fspath.h"
+/* The apache headers define these and they conflict with our definitions. */
+#ifdef PACKAGE_BUGREPORT
+#undef PACKAGE_BUGREPORT
+#endif
+#ifdef PACKAGE_NAME
+#undef PACKAGE_NAME
+#endif
+#ifdef PACKAGE_STRING
+#undef PACKAGE_STRING
+#endif
+#ifdef PACKAGE_TARNAME
+#undef PACKAGE_TARNAME
+#endif
+#ifdef PACKAGE_VERSION
+#undef PACKAGE_VERSION
+#endif
+#include "svn_private_config.h"
extern module AP_MODULE_DECLARE_DATA authz_svn_module;
@@ -65,6 +82,30 @@
const char *force_username_case;
} authz_svn_config_rec;
+#if AP_MODULE_MAGIC_AT_LEAST(20060110,0) /* version where
+ ap_some_auth_required breaks */
+# if AP_MODULE_MAGIC_AT_LEAST(20120211,47) /* first version with
+ force_authn hook and
+ ap_some_authn_required() which
+ allows us to work without
+ ap_some_auth_required() */
+# define USE_FORCE_AUTHN 1
+# define IN_SOME_AUTHN_NOTE "authz_svn-in-some-authn"
+# define FORCE_AUTHN_NOTE "authz_svn-force-authn"
+# else
+ /* ap_some_auth_required() is busted and no viable alternative exists */
+# ifndef SVN_ALLOW_BROKEN_HTTPD_AUTH
+# error This version of httpd has a security hole with mod_authz_svn
+# else
+ /* user wants to build anyway */
+# define USE_FORCE_AUTHN 0
+# endif
+# endif
+#else
+ /* old enough that ap_some_auth_required() still works */
+# define USE_FORCE_AUTHN 0
+#endif
+
/*
* Configuration
*/
@@ -682,7 +723,49 @@
&authz_svn_module);
const char *repos_path = NULL;
const char *dest_repos_path = NULL;
- int status;
+ int status, authn_required;
+
+#if USE_FORCE_AUTHN
+ /* Use the force_authn() hook available in 2.4.x to work securely
+ * given that ap_some_auth_required() is no longer functional for our
+ * purposes in 2.4.x.
+ */
+ int authn_configured;
+
+ /* We are not configured to run */
+ if (!conf->anonymous || apr_table_get(r->notes, IN_SOME_AUTHN_NOTE)
+ || (! (conf->access_file || conf->repo_relative_access_file)))
+ return DECLINED;
+
+ /* Authentication is configured */
+ authn_configured = ap_auth_type(r) != NULL;
+ if (authn_configured)
+ {
+ /* If the user is trying to authenticate, let him. It doesn't
+ * make much sense to grant anonymous access but deny authenticated
+ * users access, even though you can do that with '$anon' in the
+ * access file.
+ */
+ if (apr_table_get(r->headers_in,
+ (PROXYREQ_PROXY == r->proxyreq)
+ ? "Proxy-Authorization" : "Authorization"))
+ {
+ /* Set the note to force authn regardless of what access_checker_ex
+ hook requires */
+ apr_table_setn(r->notes, FORCE_AUTHN_NOTE, (const char*)1);
+
+ /* provide the proper return so the access_checker hook doesn't
+ * prevent the code from continuing on to the other auth hooks */
+ if (ap_satisfies(r) != SATISFY_ANY)
+ return OK;
+ else
+ return HTTP_FORBIDDEN;
+ }
+ }
+
+#else
+ /* Support for older versions of httpd that have a working
+ * ap_some_auth_required() */
/* We are not configured to run */
if (!conf->anonymous
@@ -697,9 +780,10 @@
if (ap_satisfies(r) != SATISFY_ANY)
return DECLINED;
- /* If the user is trying to authenticate, let him. If anonymous
- * access is allowed, so is authenticated access, by definition
- * of the meaning of '*' in the access file.
+ /* If the user is trying to authenticate, let him. It doesn't
+ * make much sense to grant anonymous access but deny authenticated
+ * users access, even though you can do that with '$anon' in the
+ * access file.
*/
if (apr_table_get(r->headers_in,
(PROXYREQ_PROXY == r->proxyreq)
@@ -711,6 +795,7 @@
return HTTP_FORBIDDEN;
}
}
+#endif
/* If anon access is allowed, return OK */
status = req_check_access(r, conf, &repos_path, &dest_repos_path);
@@ -719,7 +804,26 @@
if (!conf->authoritative)
return DECLINED;
+#if USE_FORCE_AUTHN
+ if (authn_configured) {
+ /* We have to check to see if authn is required because if so we must
+ * return UNAUTHORIZED (401) rather than FORBIDDEN (403) since returning
+ * the 403 leaks information about what paths may exist to
+ * unauthenticated users. We must set a note here in order
+ * to use ap_some_authn_rquired() without triggering an infinite
+ * loop since the call will trigger this function to be called again. */
+ apr_table_setn(r->notes, IN_SOME_AUTHN_NOTE, (const char*)1);
+ authn_required = ap_some_authn_required(r);
+ apr_table_unset(r->notes, IN_SOME_AUTHN_NOTE);
+ if (authn_required)
+ {
+ ap_note_auth_failure(r);
+ return HTTP_UNAUTHORIZED;
+ }
+ }
+#else
if (!ap_some_auth_required(r))
+#endif
log_access_verdict(APLOG_MARK, r, 0, repos_path, dest_repos_path);
return HTTP_FORBIDDEN;
@@ -800,6 +904,17 @@
return OK;
}
+#if USE_FORCE_AUTHN
+static int
+force_authn(request_rec *r)
+{
+ if (apr_table_get(r->notes, FORCE_AUTHN_NOTE))
+ return OK;
+
+ return DECLINED;
+}
+#endif
+
/*
* Module flesh
*/
@@ -816,6 +931,9 @@
* give SSLOptions +FakeBasicAuth a chance to work. */
ap_hook_check_user_id(check_user_id, mod_ssl, NULL, APR_HOOK_FIRST);
ap_hook_auth_checker(auth_checker, NULL, NULL, APR_HOOK_FIRST);
+#if USE_FORCE_AUTHN
+ ap_hook_force_authn(force_authn, NULL, NULL, APR_HOOK_FIRST);
+#endif
ap_register_provider(p,
AUTHZ_SVN__SUBREQ_BYPASS_PROV_GRP,
AUTHZ_SVN__SUBREQ_BYPASS_PROV_NAME,
diff --git a/subversion/tests/cmdline/README b/subversion/tests/cmdline/README
index 500c728..f8bdfcd 100644
--- a/subversion/tests/cmdline/README
+++ b/subversion/tests/cmdline/README
@@ -83,6 +83,133 @@
Require valid-user
</Location>
+ <Location /authz-test-work/anon>
+ DAV svn
+ SVNParentPath /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/local_tmp
+ AuthzSVNAccessFile /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/authz
+ SVNListParentPath On
+ # This may seem unnecessary but granting access to everyone here is necessary
+ # to exercise a bug with httpd 2.3.x+. The "Require all granted" syntax is
+ # new to 2.3.x+ which we can detect with the mod_authz_core.c module
+ # signature. Use the "Allow from all" syntax with older versions for symmetry.
+ <IfModule mod_authz_core.c>
+ Require all granted
+ </IfModule>
+ <IfModule !mod_authz_core.c>
+ Allow from all
+ </IfMOdule>
+ </Location>
+ <Location /authz-test-work/mixed>
+ DAV svn
+ SVNParentPath /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/local_tmp
+ AuthzSVNAccessFile /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/authz
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile /usr/local/apache2/conf/users
+ Require valid-user
+ Satisfy Any
+ </Location>
+ <Location /authz-test-work/mixed-noauthwhenanon>
+ DAV svn
+ SVNParentPath /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/local_tmp
+ AuthzSVNAccessFile /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/authz
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile /usr/local/apache2/conf/users
+ Require valid-user
+ AuthzSVNNoAuthWhenAnonymousAllowed On
+ </Location>
+ <Location /authz-test-work/authn>
+ DAV svn
+ SVNParentPath /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/local_tmp
+ AuthzSVNAccessFile /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/authz
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile /usr/local/apache2/conf/users
+ Require valid-user
+ </Location>
+ <Location /authz-test-work/authn-anonoff>
+ DAV svn
+ SVNParentPath /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/local_tmp
+ AuthzSVNAccessFile /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/authz
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile /usr/local/apache2/conf/users
+ Require valid-user
+ AuthzSVNAnonymous Off
+ </Location>
+ <Location /authz-test-work/authn-lcuser>
+ DAV svn
+ SVNParentPath /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/local_tmp
+ AuthzSVNAccessFile /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/authz
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile /usr/local/apache2/conf/users
+ Require valid-user
+ AuthzForceUsernameCase Lower
+ </Location>
+ <Location /authz-test-work/authn-lcuser>
+ DAV svn
+ SVNParentPath /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/local_tmp
+ AuthzSVNAccessFile /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/authz
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile /usr/local/apache2/conf/users
+ Require valid-user
+ AuthzForceUsernameCase Lower
+ </Location>
+ <Location /authz-test-work/authn-group>
+ DAV svn
+ SVNParentPath /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/local_tmp
+ AuthzSVNAccessFile /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/authz
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile /usr/local/apache2/conf/users
+ AuthGroupFile /usr/local/apache2/conf/groups
+ Require group random
+ AuthzSVNAuthoritative Off
+ </Location>
+ <IfModule mod_authz_core.c>
+ <Location /authz-test-work/sallrany>
+ DAV svn
+ SVNParentPath /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/local_tmp
+ AuthzSVNAccessFile /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/authz
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile /usr/local/apache2/conf/users
+ AuthzSendForbiddenOnFailure On
+ Satisfy All
+ <RequireAny>
+ Require valid-user
+ Require expr req('ALLOW') == '1'
+ </RequireAny>
+ </Location>
+ <Location /authz-test-work/sallrall>
+ DAV svn
+ SVNParentPath /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/local_tmp
+ AuthzSVNAccessFile /home/yourusernamehere/projects/svn/subversion/tests/cmdline/svn-test-work/authz
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile /usr/local/apache2/conf/users
+ AuthzSendForbiddenOnFailure On
+ Satisfy All
+ <RequireAll>
+ Require valid-user
+ Require expr req('ALLOW') == '1'
+ </RequireAll>
+ </Location>
+ </IfModule>
+
+
RedirectMatch permanent ^/svn-test-work/repositories/REDIRECT-PERM-(.*)$ /svn-test-work/repositories/$1
RedirectMatch ^/svn-test-work/repositories/REDIRECT-TEMP-(.*)$ /svn-test-work/repositories/$1
@@ -101,6 +228,15 @@
----------------------------
jrandom:xCGl35kV9oWCY
jconstant:xCGl35kV9oWCY
+JRANDOM:xCGl35kV9oWCY
+JCONSTANT:xCGl35kV9oWCY
+----------------------------
+
+and these lines into the
+/usr/local/apache/conf/groups file:
+----------------------------
+random: jrandom
+constant: jconstant
----------------------------
Now, (re)start Apache and run the tests over mod_dav_svn.
@@ -138,6 +274,8 @@
----------------------------
jrandom:$apr1$3p1.....$FQW6RceW5QhJ2blWDQgKn0
jconstant:$apr1$jp1.....$Usrqji1c9H6AbOxOGAzzb0
+ JRANDOM:$apr1$3p1.....$FQW6RceW5QhJ2blWDQgKn0
+ JCONSTANT:$apr1$jp1.....$Usrqji1c9H6AbOxOGAzzb0
----------------------------
diff --git a/subversion/tests/cmdline/authz_tests.py b/subversion/tests/cmdline/authz_tests.py
index 9bf0fbf..f19b15d 100755
--- a/subversion/tests/cmdline/authz_tests.py
+++ b/subversion/tests/cmdline/authz_tests.py
@@ -608,8 +608,10 @@
## cat
+ expected_err2 = ".*svn: E195012: Unable to find repository location.*"
+
# now see if we can look at the older version of rho
- svntest.actions.run_and_verify_svn(None, None, expected_err,
+ svntest.actions.run_and_verify_svn(None, None, expected_err2,
'cat', '-r', '2', D_url+'/rho')
if sbox.repo_url.startswith('http'):
@@ -626,10 +628,11 @@
svntest.actions.run_and_verify_svn(None, None, expected_err,
'diff', '-r', 'HEAD', G_url+'/rho')
- svntest.actions.run_and_verify_svn(None, None, expected_err,
+ # diff treats the unreadable path as indicating an add so no error
+ svntest.actions.run_and_verify_svn(None, None, [],
'diff', '-r', '2', D_url+'/rho')
- svntest.actions.run_and_verify_svn(None, None, expected_err,
+ svntest.actions.run_and_verify_svn(None, None, [],
'diff', '-r', '2:4', D_url+'/rho')
# test whether read access is correctly granted and denied
diff --git a/subversion/tests/cmdline/davautocheck.sh b/subversion/tests/cmdline/davautocheck.sh
index fd982ba..1600e94 100755
--- a/subversion/tests/cmdline/davautocheck.sh
+++ b/subversion/tests/cmdline/davautocheck.sh
@@ -248,8 +248,6 @@
|| fail "Authn_Core module not found."
LOAD_MOD_AUTHZ_CORE="$(get_loadmodule_config mod_authz_core)" \
|| fail "Authz_Core module not found."
-LOAD_MOD_AUTHZ_HOST="$(get_loadmodule_config mod_authz_host)" \
- || fail "Authz_Host module not found."
LOAD_MOD_UNIXD=$(get_loadmodule_config mod_unixd) \
|| fail "UnixD module not found"
}
@@ -257,6 +255,10 @@
|| fail "Authn_File module not found."
LOAD_MOD_AUTHZ_USER="$(get_loadmodule_config mod_authz_user)" \
|| fail "Authz_User module not found."
+LOAD_MOD_AUTHZ_GROUPFILE="$(get_loadmodule_config mod_authz_groupfile)" \
+ || fail "Authz_GroupFile module not found."
+LOAD_MOD_AUTHZ_HOST="$(get_loadmodule_config mod_authz_host)" \
+ || fail "Authz_Host module not found."
}
if [ ${APACHE_MPM:+set} ]; then
LOAD_MOD_MPM=$(get_loadmodule_config mod_mpm_$APACHE_MPM) \
@@ -272,6 +274,7 @@
HTTPD_MIME_TYPES="$HTTPD_ROOT/mime.types"
BASE_URL="http://localhost:$HTTPD_PORT"
HTTPD_USERS="$HTTPD_ROOT/users"
+HTTPD_GROUPS="$HTTPD_ROOT/groups"
mkdir "$HTTPD_ROOT" \
|| fail "couldn't create temporary directory '$HTTPD_ROOT'"
@@ -281,6 +284,14 @@
say "Adding users for lock authentication"
$HTPASSWD -bc $HTTPD_USERS jrandom rayjandom
$HTPASSWD -b $HTTPD_USERS jconstant rayjandom
+$HTPASSWD -b $HTTPD_USERS JRANDOM rayjandom
+$HTPASSWD -b $HTTPD_USERS JCONSTANT rayjandom
+
+say "Adding groups for mod_authz_svn tests"
+cat > "$HTTPD_GROUPS" <<__EOF__
+random: jrandom
+constant: jconstant
+__EOF__
touch $HTTPD_MIME_TYPES
@@ -297,7 +308,9 @@
$LOAD_MOD_AUTHN_FILE
$LOAD_MOD_AUTHZ_CORE
$LOAD_MOD_AUTHZ_USER
+$LOAD_MOD_AUTHZ_GROUPFILE
$LOAD_MOD_AUTHZ_HOST
+$LOAD_MOD_ACCESS_COMPAT
LoadModule authz_svn_module "$MOD_AUTHZ_SVN"
__EOF__
@@ -377,6 +390,151 @@
SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
${SVN_PATH_AUTHZ_LINE}
</Location>
+<Location /authz-test-work/anon>
+ DAV svn
+ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"
+ AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+ SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
+ SVNListParentPath On
+ # This may seem unnecessary but granting access to everyone here is necessary
+ # to exercise a bug with httpd 2.3.x+. The "Require all granted" syntax is
+ # new to 2.3.x+ which we can detect with the mod_authz_core.c module
+ # signature. Use the "Allow from all" syntax with older versions for symmetry.
+ <IfModule mod_authz_core.c>
+ Require all granted
+ </IfModule>
+ <IfModule !mod_authz_core.c>
+ Allow from all
+ </IfMOdule>
+ ${SVN_PATH_AUTHZ_LINE}
+</Location>
+<Location /authz-test-work/mixed>
+ DAV svn
+ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"
+ AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+ SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile $HTTPD_USERS
+ Require valid-user
+ Satisfy Any
+ ${SVN_PATH_AUTHZ_LINE}
+</Location>
+<Location /authz-test-work/mixed-noauthwhenanon>
+ DAV svn
+ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"
+ AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+ SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile $HTTPD_USERS
+ Require valid-user
+ AuthzSVNNoAuthWhenAnonymousAllowed On
+ SVNPathAuthz On
+</Location>
+<Location /authz-test-work/authn>
+ DAV svn
+ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"
+ AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+ SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile $HTTPD_USERS
+ Require valid-user
+ ${SVN_PATH_AUTHZ_LINE}
+</Location>
+<Location /authz-test-work/authn-anonoff>
+ DAV svn
+ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"
+ AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+ SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile $HTTPD_USERS
+ Require valid-user
+ AuthzSVNAnonymous Off
+ SVNPathAuthz On
+</Location>
+<Location /authz-test-work/authn-lcuser>
+ DAV svn
+ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"
+ AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+ SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile $HTTPD_USERS
+ Require valid-user
+ AuthzForceUsernameCase Lower
+ ${SVN_PATH_AUTHZ_LINE}
+</Location>
+<Location /authz-test-work/authn-lcuser>
+ DAV svn
+ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"
+ AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+ SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile $HTTPD_USERS
+ Require valid-user
+ AuthzForceUsernameCase Lower
+ ${SVN_PATH_AUTHZ_LINE}
+</Location>
+<Location /authz-test-work/authn-group>
+ DAV svn
+ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"
+ AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+ SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile $HTTPD_USERS
+ AuthGroupFile $HTTPD_GROUPS
+ Require group random
+ AuthzSVNAuthoritative Off
+ SVNPathAuthz On
+</Location>
+<IfModule mod_authz_core.c>
+ <Location /authz-test-work/sallrany>
+ DAV svn
+ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"
+ AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+ SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile $HTTPD_USERS
+ AuthzSendForbiddenOnFailure On
+ Satisfy All
+ <RequireAny>
+ Require valid-user
+ Require expr req('ALLOW') == '1'
+ </RequireAny>
+ ${SVN_PATH_AUTHZ_LINE}
+ </Location>
+ <Location /authz-test-work/sallrall>
+ DAV svn
+ SVNParentPath "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/local_tmp"
+ AuthzSVNAccessFile "$ABS_BUILDDIR/subversion/tests/cmdline/svn-test-work/authz"
+ SVNAdvertiseV2Protocol ${ADVERTISE_V2_PROTOCOL}
+ SVNListParentPath On
+ AuthType Basic
+ AuthName "Subversion Repository"
+ AuthUserFile $HTTPD_USERS
+ AuthzSendForbiddenOnFailure On
+ Satisfy All
+ <RequireAll>
+ Require valid-user
+ Require expr req('ALLOW') == '1'
+ </RequireAll>
+ ${SVN_PATH_AUTHZ_LINE}
+ </Location>
+</IfModule>
RedirectMatch permanent ^/svn-test-work/repositories/REDIRECT-PERM-(.*)\$ /svn-test-work/repositories/\$1
RedirectMatch ^/svn-test-work/repositories/REDIRECT-TEMP-(.*)\$ /svn-test-work/repositories/\$1
__EOF__
diff --git a/subversion/tests/cmdline/mod_authz_svn_tests.py b/subversion/tests/cmdline/mod_authz_svn_tests.py
new file mode 100644
index 0000000..d04690f
--- /dev/null
+++ b/subversion/tests/cmdline/mod_authz_svn_tests.py
@@ -0,0 +1,1073 @@
+#!/usr/bin/env python
+#
+# mod_authz_svn_tests.py: testing mod_authz_svn
+#
+# Subversion is a tool for revision control.
+# See http://subversion.apache.org for more information.
+#
+# ====================================================================
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+######################################################################
+
+# General modules
+import os, re, logging
+
+logger = logging.getLogger()
+
+# Our testing module
+import svntest
+
+# (abbreviation)
+Skip = svntest.testcase.Skip_deco
+SkipUnless = svntest.testcase.SkipUnless_deco
+XFail = svntest.testcase.XFail_deco
+Issues = svntest.testcase.Issues_deco
+Issue = svntest.testcase.Issue_deco
+Wimp = svntest.testcase.Wimp_deco
+
+ls_of_D_no_H = '''<html><head><title>repos - Revision 1: /A/D</title></head>
+<body>
+ <h2>repos - Revision 1: /A/D</h2>
+ <ul>
+ <li><a href="../">..</a></li>
+ <li><a href="G/">G/</a></li>
+ <li><a href="gamma">gamma</a></li>
+ </ul>
+</body></html>'''
+
+ls_of_D_H = '''<html><head><title>repos - Revision 1: /A/D</title></head>
+<body>
+ <h2>repos - Revision 1: /A/D</h2>
+ <ul>
+ <li><a href="../">..</a></li>
+ <li><a href="G/">G/</a></li>
+ <li><a href="H/">H/</a></li>
+ <li><a href="gamma">gamma</a></li>
+ </ul>
+</body></html>'''
+
+ls_of_H = '''<html><head><title>repos - Revision 1: /A/D/H</title></head>
+<body>
+ <h2>repos - Revision 1: /A/D/H</h2>
+ <ul>
+ <li><a href="../">..</a></li>
+ <li><a href="chi">chi</a></li>
+ <li><a href="omega">omega</a></li>
+ <li><a href="psi">psi</a></li>
+ </ul>
+</body></html>'''
+
+user1 = svntest.main.wc_author
+user1_upper = user1.upper()
+user1_pass = svntest.main.wc_passwd
+user1_badpass = 'XXX'
+assert user1_pass != user1_badpass, "Passwords can't match"
+user2 = svntest.main.wc_author2
+user2_upper = user2.upper()
+user2_pass = svntest.main.wc_passwd
+user2_badpass = 'XXX'
+assert user2_pass != user2_badpass, "Passwords can't match"
+
+def write_authz_file(sbox):
+ svntest.main.write_authz_file(sbox, {
+ '/': '$anonymous = r\n' +
+ 'jrandom = rw\n' +
+ 'jconstant = rw',
+ '/A/D/H': '$anonymous =\n' +
+ '$authenticated =\n' +
+ 'jrandom = rw'
+ })
+
+def write_authz_file_groups(sbox):
+ authz_name = sbox.authz_name()
+ svntest.main.write_authz_file(sbox,{
+ '/': '* =',
+ })
+
+def verify_get(test_area_url, path, user, pw,
+ expected_status, expected_body, headers):
+ import httplib
+ from urlparse import urlparse
+ import base64
+
+ req_url = test_area_url + path
+
+ loc = urlparse(req_url)
+
+ if loc.scheme == 'http':
+ h = httplib.HTTPConnection(loc.hostname, loc.port)
+ else:
+ h = httplib.HTTPSConnection(loc.hostname, loc.port)
+
+ if headers is None:
+ headers = {}
+
+ if user and pw:
+ auth_info = user + ':' + pw
+ headers['Authorization'] = 'Basic ' + base64.b64encode(auth_info)
+ else:
+ auth_info = "anonymous"
+
+ h.request('GET', req_url, None, headers)
+
+ r = h.getresponse()
+
+ actual_status = r.status
+ if expected_status and expected_status != actual_status:
+
+ logger.warn("Expected status '" + str(expected_status) +
+ "' but got '" + str(actual_status) +
+ "' on url '" + req_url + "' (" +
+ auth_info + ").")
+ raise svntest.Failure
+
+ if expected_body:
+ actual_body = r.read()
+ if expected_body != actual_body:
+ logger.warn("Expected body:")
+ logger.warn(expected_body)
+ logger.warn("But got:")
+ logger.warn(actual_body)
+ logger.warn("on url '" + req_url + "' (" + auth_info + ").")
+ raise svntest.Failure
+
+def verify_gets(test_area_url, tests):
+ for test in tests:
+ verify_get(test_area_url, test['path'], test.get('user'), test.get('pw'),
+ test['status'], test.get('body'), test.get('headers'))
+
+
+######################################################################
+# Tests
+#
+# Each test must return on success or raise on failure.
+
+
+#----------------------------------------------------------------------
+
+
+@SkipUnless(svntest.main.is_ra_type_dav)
+def anon(sbox):
+ "test anonymous access"
+ sbox.build(read_only = True, create_wc = False)
+
+ test_area_url = sbox.repo_url.replace('/svn-test-work/local_tmp/repos',
+ '/authz-test-work/anon')
+
+ write_authz_file(sbox)
+
+ anon_tests = (
+ { 'path': '', 'status': 301 },
+ { 'path': '/', 'status': 200 },
+ { 'path': '/repos', 'status': 301 },
+ { 'path': '/repos/', 'status': 200 },
+ { 'path': '/repos/A', 'status': 301 },
+ { 'path': '/repos/A/', 'status': 200 },
+ { 'path': '/repos/A/D', 'status': 301 },
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H },
+ { 'path': '/repos/A/D/gamma', 'status': 200 },
+ { 'path': '/repos/A/D/H', 'status': 403 },
+ { 'path': '/repos/A/D/H/', 'status': 403 },
+ { 'path': '/repos/A/D/H/chi', 'status': 403 },
+ # auth isn't configured so nothing should change when passing
+ # authn details
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '', 'status': 301, 'user': user2, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user2, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 301, 'user': user2, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user2, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user2, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user2, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user2, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '', 'status': 301, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/', 'status': 200, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos', 'status': 301, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/', 'status': 200, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A', 'status': 301, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ )
+
+ verify_gets(test_area_url, anon_tests)
+
+
+@SkipUnless(svntest.main.is_ra_type_dav)
+def mixed(sbox):
+ "test mixed anonymous and authenticated access"
+ sbox.build(read_only = True, create_wc = False)
+
+ test_area_url = sbox.repo_url.replace('/svn-test-work/local_tmp/repos',
+ '/authz-test-work/mixed')
+
+ write_authz_file(sbox)
+
+ mixed_tests = (
+ { 'path': '', 'status': 301, },
+ { 'path': '/', 'status': 200, },
+ { 'path': '/repos', 'status': 301, },
+ { 'path': '/repos/', 'status': 200, },
+ { 'path': '/repos/A', 'status': 301, },
+ { 'path': '/repos/A/', 'status': 200, },
+ { 'path': '/repos/A/D', 'status': 301, },
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ },
+ { 'path': '/repos/A/D/gamma', 'status': 200, },
+ { 'path': '/repos/A/D/H', 'status': 401, },
+ { 'path': '/repos/A/D/H/', 'status': 401, },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, },
+ # auth is configured and user1 is allowed access to H
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_H,
+ 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 200, 'body': ls_of_H, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 200, 'user': user1, 'pw': user1_pass},
+ # try with the wrong password for user1
+ { 'path': '', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ # auth is configured and user2 is not allowed access to H
+ { 'path': '', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_pass},
+ # try with the wrong password for user2
+ { 'path': '', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ )
+
+ verify_gets(test_area_url, mixed_tests)
+
+@SkipUnless(svntest.main.is_ra_type_dav)
+@XFail(svntest.main.is_httpd_authz_provider_enabled)
+# uses the AuthzSVNNoAuthWhenAnonymousAllowed On directive
+# this is broken with httpd 2.3.x+ since it requires the auth system to accept
+# r->user == NULL and there is a test for this in server/request.c now. It
+# was intended as a workaround for the lack of Satisfy Any in 2.3.x+ which
+# was resolved by httpd with mod_access_compat in 2.3.x+.
+def mixed_noauthwhenanon(sbox):
+ "test mixed with noauthwhenanon directive"
+ sbox.build(read_only = True, create_wc = False)
+
+ test_area_url = sbox.repo_url.replace('/svn-test-work/local_tmp/repos',
+ '/authz-test-work/mixed-noauthwhenanon')
+
+ write_authz_file(sbox)
+
+ noauthwhenanon_tests = (
+ { 'path': '', 'status': 301, },
+ { 'path': '/', 'status': 200, },
+ { 'path': '/repos', 'status': 301, },
+ { 'path': '/repos/', 'status': 200, },
+ { 'path': '/repos/A', 'status': 301, },
+ { 'path': '/repos/A/', 'status': 200, },
+ { 'path': '/repos/A/D', 'status': 301, },
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ },
+ { 'path': '/repos/A/D/gamma', 'status': 200, },
+ { 'path': '/repos/A/D/H', 'status': 401, },
+ { 'path': '/repos/A/D/H/', 'status': 401, },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, },
+ # auth is configured and user1 is allowed access to H
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_H,
+ 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 200, 'body': ls_of_H, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 200, 'user': user1, 'pw': user1_pass},
+ # try with the wrong password for user1
+ # note that unlike doing this with Satisfy Any this case
+ # actually provides anon access when provided with an invalid
+ # password
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/', 'status': 200, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ # auth is configured and user2 is not allowed access to H
+ { 'path': '', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_pass},
+ # try with the wrong password for user2
+ { 'path': '', 'status': 301, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/', 'status': 200, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos', 'status': 301, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/', 'status': 200, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A', 'status': 301, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/', 'status': 200, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ )
+
+ verify_gets(test_area_url, noauthwhenanon_tests)
+
+
+@SkipUnless(svntest.main.is_ra_type_dav)
+def authn(sbox):
+ "test authenticated only access"
+ sbox.build(read_only = True, create_wc = False)
+
+ test_area_url = sbox.repo_url.replace('/svn-test-work/local_tmp/repos',
+ '/authz-test-work/authn')
+
+ write_authz_file(sbox)
+
+ authn_tests = (
+ { 'path': '', 'status': 401, },
+ { 'path': '/', 'status': 401, },
+ { 'path': '/repos', 'status': 401, },
+ { 'path': '/repos/', 'status': 401, },
+ { 'path': '/repos/A', 'status': 401, },
+ { 'path': '/repos/A/', 'status': 401, },
+ { 'path': '/repos/A/D', 'status': 401, },
+ { 'path': '/repos/A/D/', 'status': 401, },
+ { 'path': '/repos/A/D/gamma', 'status': 401, },
+ { 'path': '/repos/A/D/H', 'status': 401, },
+ { 'path': '/repos/A/D/H/', 'status': 401, },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, },
+ # auth is configured and user1 is allowed access to H
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_H,
+ 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 200, 'body': ls_of_H, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 200, 'user': user1, 'pw': user1_pass},
+ # try with upper case username for user1
+ { 'path': '', 'status': 301, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ # try with the wrong password for user1
+ { 'path': '', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ # auth is configured and user2 is not allowed access to H
+ { 'path': '', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_pass},
+ # try with upper case username for user2
+ { 'path': '', 'status': 301, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/', 'status': 200, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ # try with the wrong password for user2
+ { 'path': '', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ )
+
+ verify_gets(test_area_url, authn_tests)
+
+@SkipUnless(svntest.main.is_ra_type_dav)
+def authn_anonoff(sbox):
+ "test authenticated only access with anonoff"
+ sbox.build(read_only = True, create_wc = False)
+
+ test_area_url = sbox.repo_url.replace('/svn-test-work/local_tmp/repos',
+ '/authz-test-work/authn-anonoff')
+
+ write_authz_file(sbox)
+
+ anonoff_tests = (
+ { 'path': '', 'status': 401, },
+ { 'path': '/', 'status': 401, },
+ { 'path': '/repos', 'status': 401, },
+ { 'path': '/repos/', 'status': 401, },
+ { 'path': '/repos/A', 'status': 401, },
+ { 'path': '/repos/A/', 'status': 401, },
+ { 'path': '/repos/A/D', 'status': 401, },
+ { 'path': '/repos/A/D/', 'status': 401, },
+ { 'path': '/repos/A/D/gamma', 'status': 401, },
+ { 'path': '/repos/A/D/H', 'status': 401, },
+ { 'path': '/repos/A/D/H/', 'status': 401, },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, },
+ # auth is configured and user1 is allowed access to H
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_H,
+ 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 200, 'body': ls_of_H, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 200, 'user': user1, 'pw': user1_pass},
+ # try with upper case username for user1
+ { 'path': '', 'status': 301, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user1_upper, 'pw': user1_pass},
+ # try with the wrong password for user1
+ { 'path': '', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ # auth is configured and user2 is not allowed access to H
+ { 'path': '', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_pass},
+ # try with upper case username for user2
+ { 'path': '', 'status': 301, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/', 'status': 200, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ # try with the wrong password for user2
+ { 'path': '', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ )
+
+ verify_gets(test_area_url, anonoff_tests)
+
+@SkipUnless(svntest.main.is_ra_type_dav)
+def authn_lcuser(sbox):
+ "test authenticated only access with lcuser"
+ sbox.build(read_only = True, create_wc = False)
+
+ test_area_url = sbox.repo_url.replace('/svn-test-work/local_tmp/repos',
+ '/authz-test-work/authn-lcuser')
+
+ write_authz_file(sbox)
+
+ lcuser_tests = (
+ # try with upper case username for user1 (works due to lcuser option)
+ { 'path': '', 'status': 301, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 301, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_H,
+ 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 301, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 200, 'body': ls_of_H, 'user': user1_upper, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 200, 'user': user1_upper, 'pw': user1_pass},
+ # try with upper case username for user2 (works due to lcuser option)
+ { 'path': '', 'status': 301, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/', 'status': 200, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos', 'status': 301, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2_upper, 'pw': user2_pass},
+ )
+
+ verify_gets(test_area_url, lcuser_tests)
+
+# authenticated access only by group - a excuse to use AuthzSVNAuthoritative Off
+# this is terribly messed up, Require group runs after mod_authz_svn.
+# so if mod_authz_svn grants the access then it doesn't matter what the group
+# requirement says. If we reject the access then you can use the AuthzSVNAuthoritative Off
+# directive to fall through to the group check. Overall the behavior of setups like this
+# is almost guaranteed to not be what users expect.
+@SkipUnless(svntest.main.is_ra_type_dav)
+def authn_group(sbox):
+ "test authenticated only access via groups"
+ sbox.build(read_only = True, create_wc = False)
+
+ test_area_url = sbox.repo_url.replace('/svn-test-work/local_tmp/repos',
+ '/authz-test-work/authn-group')
+
+ # Can't use write_authz_file() as most tests because we want to deny all
+ # access with mod_authz_svn so the tests fall through to the group handling
+ authz_name = sbox.authz_name()
+ svntest.main.write_authz_file(sbox, {
+ '/': '* =',
+ })
+
+ group_tests = (
+ { 'path': '', 'status': 401, },
+ { 'path': '/', 'status': 401, },
+ { 'path': '/repos', 'status': 401, },
+ { 'path': '/repos/', 'status': 401, },
+ { 'path': '/repos/A', 'status': 401, },
+ { 'path': '/repos/A/', 'status': 401, },
+ { 'path': '/repos/A/D', 'status': 401, },
+ { 'path': '/repos/A/D/', 'status': 401, },
+ { 'path': '/repos/A/D/gamma', 'status': 401, },
+ { 'path': '/repos/A/D/H', 'status': 401, },
+ { 'path': '/repos/A/D/H/', 'status': 401, },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, },
+ # auth is configured and user1 is allowed access repo including H
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_H,
+ 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 200, 'body': ls_of_H, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 200, 'user': user1, 'pw': user1_pass},
+ )
+
+ verify_gets(test_area_url, group_tests)
+
+# This test exists to validate our behavior when used with the new authz
+# provider system introduced in httpd 2.3.x. The Satisfy directive
+# determines how older authz hooks are combined and the RequireA(ll|ny)
+# blocks handles how new authz providers are combined. The overall results of
+# all the authz providers (combined per the Require* blocks) are then
+# combined with the other authz hooks via the Satisfy directive.
+# Meaning this test requires that mod_authz_svn says yes and there is
+# either a valid user or the ALLOW header is 1. The header may seem
+# like a silly test but it's easier to excercise than say a host directive
+# in a repeatable test.
+@SkipUnless(svntest.main.is_httpd_authz_provider_enabled)
+def authn_sallrany(sbox):
+ "test satisfy all require any config"
+ sbox.build(read_only = True, create_wc = False)
+
+ test_area_url = sbox.repo_url.replace('/svn-test-work/local_tmp/repos',
+ '/authz-test-work/sallrany')
+
+ write_authz_file(sbox)
+
+ allow_header = { 'ALLOW': '1' }
+
+ sallrany_tests = (
+ #anon access isn't allowed without ALLOW header
+ { 'path': '', 'status': 401, },
+ { 'path': '/', 'status': 401, },
+ { 'path': '/repos', 'status': 401, },
+ { 'path': '/repos/', 'status': 401, },
+ { 'path': '/repos/A', 'status': 401, },
+ { 'path': '/repos/A/', 'status': 401, },
+ { 'path': '/repos/A/D', 'status': 401, },
+ { 'path': '/repos/A/D/', 'status': 401, },
+ { 'path': '/repos/A/D/gamma', 'status': 401, },
+ { 'path': '/repos/A/D/H', 'status': 401, },
+ { 'path': '/repos/A/D/H/', 'status': 401, },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, },
+ # auth is configured and user1 is allowed access repo including H
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_H,
+ 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 301, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 200, 'body': ls_of_H, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 200, 'user': user1, 'pw': user1_pass},
+ # try with the wrong password for user1
+ { 'path': '', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user1, 'pw': user1_badpass},
+ # auth is configured and user2 is not allowed access to H
+ { 'path': '', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_pass},
+ # try with the wrong password for user2
+ { 'path': '', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user2, 'pw': user2_badpass},
+ # anon is allowed with the ALLOW header
+ { 'path': '', 'status': 301, 'headers': allow_header },
+ { 'path': '/', 'status': 200, 'headers': allow_header },
+ { 'path': '/repos', 'status': 301, 'headers': allow_header },
+ { 'path': '/repos/', 'status': 200, 'headers': allow_header },
+ { 'path': '/repos/A', 'status': 301, 'headers': allow_header },
+ { 'path': '/repos/A/', 'status': 200, 'headers': allow_header },
+ { 'path': '/repos/A/D', 'status': 301, 'headers': allow_header },
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H, 'headers': allow_header },
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'headers': allow_header },
+ # these 3 tests return 403 instead of 401 becasue the config allows
+ # the anon user with the ALLOW header without any auth and the old hook
+ # system has no way of knowing it should return 401 since authentication is
+ # configured and can change the behavior. It could decide to return 401 just on
+ # the basis of authentication being configured but then that leaks info in other
+ # cases so it's better for this case to be "broken".
+ { 'path': '/repos/A/D/H', 'status': 403, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/', 'status': 403, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'headers': allow_header },
+ # auth is configured and user1 is allowed access repo including H
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_H,
+ 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H', 'status': 301, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/', 'status': 200, 'body': ls_of_H, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/chi', 'status': 200, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ # try with the wrong password for user1
+ { 'path': '', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ # auth is configured and user2 is not allowed access to H
+ { 'path': '', 'status': 301, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/', 'status': 200, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos', 'status': 301, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/', 'status': 200, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A', 'status': 301, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/', 'status': 200, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ # try with the wrong password for user2
+ { 'path': '', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+
+ )
+
+ verify_gets(test_area_url, sallrany_tests)
+
+# See comments on authn_sallrany test for some background on the interaction
+# of Satisfy Any and the newer Require blocks.
+@SkipUnless(svntest.main.is_httpd_authz_provider_enabled)
+def authn_sallrall(sbox):
+ "test satisfy all require all config"
+ sbox.build(read_only = True, create_wc = False)
+
+ test_area_url = sbox.repo_url.replace('/svn-test-work/local_tmp/repos',
+ '/authz-test-work/sallrall')
+
+ write_authz_file(sbox)
+
+ allow_header = { 'ALLOW': '1' }
+
+ sallrall_tests = (
+ #anon access isn't allowed without ALLOW header
+ { 'path': '', 'status': 403, },
+ { 'path': '/', 'status': 403, },
+ { 'path': '/repos', 'status': 403, },
+ { 'path': '/repos/', 'status': 403, },
+ { 'path': '/repos/A', 'status': 403, },
+ { 'path': '/repos/A/', 'status': 403, },
+ { 'path': '/repos/A/D', 'status': 403, },
+ { 'path': '/repos/A/D/', 'status': 403, },
+ { 'path': '/repos/A/D/gamma', 'status': 403, },
+ { 'path': '/repos/A/D/H', 'status': 403, },
+ { 'path': '/repos/A/D/H/', 'status': 403, },
+ { 'path': '/repos/A/D/H/chi', 'status': 403, },
+ # auth is configured but no access is allowed without the ALLOW header
+ { 'path': '', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user1, 'pw': user1_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user1, 'pw': user1_pass},
+ # try with the wrong password for user1
+ { 'path': '', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user1, 'pw': user1_badpass},
+ # auth is configured but no access is allowed without the ALLOW header
+ { 'path': '', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/gamma', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_pass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_pass},
+ # try with the wrong password for user2
+ { 'path': '', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/gamma', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_badpass},
+ # anon is not allowed even with ALLOW header
+ { 'path': '', 'status': 401, 'headers': allow_header },
+ { 'path': '/', 'status': 401, 'headers': allow_header },
+ { 'path': '/repos', 'status': 401, 'headers': allow_header },
+ { 'path': '/repos/', 'status': 401, 'headers': allow_header },
+ { 'path': '/repos/A', 'status': 401, 'headers': allow_header },
+ { 'path': '/repos/A/', 'status': 401, 'headers': allow_header },
+ { 'path': '/repos/A/D', 'status': 401, 'headers': allow_header },
+ { 'path': '/repos/A/D/', 'status': 401, 'headers': allow_header },
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'headers': allow_header },
+ { 'path': '/repos/A/D/H', 'status': 401, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/', 'status': 401, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'headers': allow_header },
+ # auth is configured and user1 is allowed access repo including H
+ { 'path': '', 'status': 301, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/', 'status': 200, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos', 'status': 301, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/', 'status': 200, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A', 'status': 301, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/', 'status': 200, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D', 'status': 301, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_H,
+ 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H', 'status': 301, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/', 'status': 200, 'body': ls_of_H, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/chi', 'status': 200, 'user': user1, 'pw': user1_pass, 'headers': allow_header },
+ # try with the wrong password for user1
+ { 'path': '', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user1, 'pw': user1_badpass, 'headers': allow_header },
+ # auth is configured and user2 is not allowed access to H
+ { 'path': '', 'status': 301, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/', 'status': 200, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos', 'status': 301, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/', 'status': 200, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A', 'status': 301, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/', 'status': 200, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D', 'status': 301, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/', 'status': 200, 'body': ls_of_D_no_H,
+ 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/gamma', 'status': 200, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H', 'status': 403, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/', 'status': 403, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/chi', 'status': 403, 'user': user2, 'pw': user2_pass, 'headers': allow_header },
+ # try with the wrong password for user2
+ { 'path': '', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/gamma', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+ { 'path': '/repos/A/D/H/chi', 'status': 401, 'user': user2, 'pw': user2_badpass, 'headers': allow_header },
+
+ )
+
+ verify_gets(test_area_url, sallrall_tests)
+
+
+########################################################################
+# Run the tests
+
+
+# list all tests here, starting with None:
+test_list = [ None,
+ anon,
+ mixed,
+ mixed_noauthwhenanon,
+ authn,
+ authn_anonoff,
+ authn_lcuser,
+ authn_group,
+ authn_sallrany,
+ authn_sallrall,
+ ]
+serial_only = True
+
+if __name__ == '__main__':
+ svntest.main.run_tests(test_list)
+ # NOTREACHED
+
+
+### End of file.
diff --git a/subversion/tests/cmdline/svntest/main.py b/subversion/tests/cmdline/svntest/main.py
index 820a080..8d0207e 100644
--- a/subversion/tests/cmdline/svntest/main.py
+++ b/subversion/tests/cmdline/svntest/main.py
@@ -1148,6 +1148,30 @@
def server_has_atomic_revprop():
return options.server_minor_version >= 7
+
+# https://issues.apache.org/bugzilla/show_bug.cgi?id=56480
+# https://issues.apache.org/bugzilla/show_bug.cgi?id=55397
+__mod_dav_url_quoting_broken_versions = frozenset([
+ '2.2.27',
+ '2.2.26',
+ '2.2.25',
+ '2.4.9',
+ '2.4.8',
+ '2.4.7',
+ '2.4.6',
+ '2.4.5',
+])
+def is_mod_dav_url_quoting_broken():
+ if is_ra_type_dav():
+ return (options.httpd_version in __mod_dav_url_quoting_broken_versions)
+ return None
+
+def is_httpd_authz_provider_enabled():
+ if is_ra_type_dav():
+ v = options.httpd_version.split('.')
+ return (v[0] == '2' and int(v[1]) >= 3) or int(v[0]) > 2
+ return None
+
######################################################################
@@ -1194,6 +1218,8 @@
args.append('--mode-filter=' + options.mode_filter)
if options.milestone_filter:
args.append('--milestone-filter=' + options.milestone_filter)
+ if options.httpd_version:
+ args.append('--httpd-version=' + options.httpd_version)
result, stdout_lines, stderr_lines = spawn_process(command, 0, 0, None,
*args)
@@ -1361,6 +1387,36 @@
sandbox.cleanup_test_paths()
return exit_code
+
+# https://issues.apache.org/bugzilla/show_bug.cgi?id=56480
+# https://issues.apache.org/bugzilla/show_bug.cgi?id=55397
+__mod_dav_url_quoting_broken_versions = frozenset([
+ '2.2.27',
+ '2.2.26',
+ '2.2.25',
+ '2.4.9',
+ '2.4.8',
+ '2.4.7',
+ '2.4.6',
+ '2.4.5',
+])
+def is_mod_dav_url_quoting_broken():
+ if is_ra_type_dav():
+ return (options.httpd_version in __mod_dav_url_quoting_broken_versions)
+ return None
+
+def is_httpd_authz_provider_enabled():
+ if is_ra_type_dav():
+ v = options.httpd_version.split('.')
+ return (v[0] == '2' and int(v[1]) >= 3) or int(v[0]) > 2
+ return None
+
+def is_httpd_authz_provider_enabled():
+ if is_ra_type_dav():
+ v = options.httpd_version.split('.')
+ return (v[0] == '2' and int(v[1]) >= 3) or int(v[0]) > 2
+ return None
+
######################################################################
# Main testing functions
diff --git a/subversion/tests/libsvn_repos/repos-test.c b/subversion/tests/libsvn_repos/repos-test.c
index f8eb3f3..d796347 100644
--- a/subversion/tests/libsvn_repos/repos-test.c
+++ b/subversion/tests/libsvn_repos/repos-test.c
@@ -2586,6 +2586,246 @@
return SVN_NO_ERROR;
}
+static svn_error_t *
+mkdir_delete_copy(svn_repos_t *repos,
+ const char *src,
+ const char *dst,
+ apr_pool_t *pool)
+{
+ svn_fs_t *fs = svn_repos_fs(repos);
+ svn_revnum_t youngest_rev;
+ svn_fs_txn_t *txn;
+ svn_fs_root_t *txn_root, *rev_root;
+
+ SVN_ERR(svn_fs_youngest_rev(&youngest_rev, fs, pool));
+
+ SVN_ERR(svn_fs_begin_txn(&txn, fs, youngest_rev, pool));
+ SVN_ERR(svn_fs_txn_root(&txn_root, txn, pool));
+ SVN_ERR(svn_fs_make_dir(txn_root, "A/T", pool));
+ SVN_ERR(svn_repos_fs_commit_txn(NULL, repos, &youngest_rev, txn, pool));
+
+ SVN_ERR(svn_fs_begin_txn(&txn, fs, youngest_rev, pool));
+ SVN_ERR(svn_fs_txn_root(&txn_root, txn, pool));
+ SVN_ERR(svn_fs_delete(txn_root, "A/T", pool));
+ SVN_ERR(svn_repos_fs_commit_txn(NULL, repos, &youngest_rev, txn, pool));
+
+ SVN_ERR(svn_fs_begin_txn(&txn, fs, youngest_rev, pool));
+ SVN_ERR(svn_fs_txn_root(&txn_root, txn, pool));
+ SVN_ERR(svn_fs_revision_root(&rev_root, fs, youngest_rev - 1, pool));
+ SVN_ERR(svn_fs_copy(rev_root, src, txn_root, dst, pool));
+ SVN_ERR(svn_repos_fs_commit_txn(NULL, repos, &youngest_rev, txn, pool));
+
+ return SVN_NO_ERROR;
+}
+
+struct authz_read_baton_t {
+ apr_hash_t *paths;
+ apr_pool_t *pool;
+ const char *deny;
+};
+
+static svn_error_t *
+authz_read_func(svn_boolean_t *allowed,
+ svn_fs_root_t *root,
+ const char *path,
+ void *baton,
+ apr_pool_t *pool)
+{
+ struct authz_read_baton_t *b = baton;
+
+ if (b->deny && !strcmp(b->deny, path))
+ *allowed = FALSE;
+ else
+ *allowed = TRUE;
+
+ apr_hash_set(b->paths, apr_pstrdup(b->pool, path), APR_HASH_KEY_STRING,
+ (void*)1);
+
+ return SVN_NO_ERROR;
+}
+
+static svn_error_t *
+verify_locations(apr_hash_t *actual,
+ apr_hash_t *expected,
+ apr_hash_t *checked,
+ apr_pool_t *pool)
+{
+ apr_hash_index_t *hi;
+
+ for (hi = apr_hash_first(pool, expected); hi; hi = apr_hash_next(hi))
+ {
+ const svn_revnum_t *rev = svn__apr_hash_index_key(hi);
+ const char *path = apr_hash_get(actual, rev, sizeof(svn_revnum_t));
+
+ if (!path)
+ return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
+ "expected %s for %d found (null)",
+ (char*)svn__apr_hash_index_val(hi),
+ (int)*rev);
+ else if (strcmp(path, svn__apr_hash_index_val(hi)))
+ return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
+ "expected %s for %d found %s",
+ (char*)svn__apr_hash_index_val(hi),
+ (int)*rev, path);
+
+ }
+
+ for (hi = apr_hash_first(pool, actual); hi; hi = apr_hash_next(hi))
+ {
+ const svn_revnum_t *rev = svn__apr_hash_index_key(hi);
+ const char *path = apr_hash_get(expected, rev, sizeof(svn_revnum_t));
+
+ if (!path)
+ return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
+ "found %s for %d expected (null)",
+ (char*)svn__apr_hash_index_val(hi),
+ (int)*rev);
+ else if (strcmp(path, svn__apr_hash_index_val(hi)))
+ return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
+ "found %s for %d expected %s",
+ (char*)svn__apr_hash_index_val(hi),
+ (int)*rev, path);
+
+ if (!apr_hash_get(checked, path, APR_HASH_KEY_STRING))
+ return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
+ "did not check %s", path);
+ }
+
+ return SVN_NO_ERROR;
+}
+
+static void
+set_expected(apr_hash_t *expected,
+ svn_revnum_t rev,
+ const char *path,
+ apr_pool_t *pool)
+{
+ svn_revnum_t *rp = apr_palloc(pool, sizeof(svn_revnum_t));
+ *rp = rev;
+ apr_hash_set(expected, rp, sizeof(svn_revnum_t), path);
+}
+
+static svn_error_t *
+trace_node_locations_authz(const svn_test_opts_t *opts,
+ apr_pool_t *pool)
+{
+ svn_repos_t *repos;
+ svn_fs_t *fs;
+ svn_revnum_t youngest_rev = 0;
+ svn_fs_txn_t *txn;
+ svn_fs_root_t *txn_root;
+ struct authz_read_baton_t arb;
+ apr_array_header_t *revs = apr_array_make(pool, 10, sizeof(svn_revnum_t));
+ apr_hash_t *locations;
+ apr_hash_t *expected = apr_hash_make(pool);
+ int i;
+
+ /* Create test repository. */
+ SVN_ERR(svn_test__create_repos(&repos, "test-repo-trace-node-locations-authz",
+ opts, pool));
+ fs = svn_repos_fs(repos);
+
+ /* r1 create A */
+ SVN_ERR(svn_fs_begin_txn(&txn, fs, youngest_rev, pool));
+ SVN_ERR(svn_fs_txn_root(&txn_root, txn, pool));
+ SVN_ERR(svn_fs_make_dir(txn_root, "A", pool));
+ SVN_ERR(svn_fs_make_file(txn_root, "A/f", pool));
+ SVN_ERR(svn_test__set_file_contents(txn_root, "A/f", "foobar", pool));
+ SVN_ERR(svn_repos_fs_commit_txn(NULL, repos, &youngest_rev, txn, pool));
+
+ /* r4 copy A to B */
+ SVN_ERR(mkdir_delete_copy(repos, "A", "B", pool));
+
+ /* r7 copy B to C */
+ SVN_ERR(mkdir_delete_copy(repos, "B", "C", pool));
+
+ /* r10 copy C to D */
+ SVN_ERR(mkdir_delete_copy(repos, "C", "D", pool));
+
+ SVN_ERR(svn_fs_youngest_rev(&youngest_rev, fs, pool));
+ SVN_ERR_ASSERT(youngest_rev == 10);
+
+ arb.paths = apr_hash_make(pool);
+ arb.pool = pool;
+ arb.deny = NULL;
+
+ apr_array_clear(revs);
+ for (i = 0; i <= youngest_rev; ++i)
+ APR_ARRAY_PUSH(revs, svn_revnum_t) = i;
+ set_expected(expected, 10, "/D/f", pool);
+ set_expected(expected, 8, "/C/f", pool);
+ set_expected(expected, 7, "/C/f", pool);
+ set_expected(expected, 5, "/B/f", pool);
+ set_expected(expected, 4, "/B/f", pool);
+ set_expected(expected, 2, "/A/f", pool);
+ set_expected(expected, 1, "/A/f", pool);
+ apr_hash_clear(arb.paths);
+ SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,
+ authz_read_func, &arb, pool));
+ SVN_ERR(verify_locations(locations, expected, arb.paths, pool));
+
+ apr_array_clear(revs);
+ for (i = 1; i <= youngest_rev; ++i)
+ APR_ARRAY_PUSH(revs, svn_revnum_t) = i;
+ apr_hash_clear(arb.paths);
+ SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,
+ authz_read_func, &arb, pool));
+ SVN_ERR(verify_locations(locations, expected, arb.paths, pool));
+
+ apr_array_clear(revs);
+ for (i = 2; i <= youngest_rev; ++i)
+ APR_ARRAY_PUSH(revs, svn_revnum_t) = i;
+ set_expected(expected, 1, NULL, pool);
+ apr_hash_clear(arb.paths);
+ SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,
+ authz_read_func, &arb, pool));
+ SVN_ERR(verify_locations(locations, expected, arb.paths, pool));
+
+ apr_array_clear(revs);
+ for (i = 3; i <= youngest_rev; ++i)
+ APR_ARRAY_PUSH(revs, svn_revnum_t) = i;
+ set_expected(expected, 2, NULL, pool);
+ apr_hash_clear(arb.paths);
+ SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,
+ authz_read_func, &arb, pool));
+ SVN_ERR(verify_locations(locations, expected, arb.paths, pool));
+
+ apr_array_clear(revs);
+ for (i = 6; i <= youngest_rev; ++i)
+ APR_ARRAY_PUSH(revs, svn_revnum_t) = i;
+ set_expected(expected, 5, NULL, pool);
+ set_expected(expected, 4, NULL, pool);
+ apr_hash_clear(arb.paths);
+ SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,
+ authz_read_func, &arb, pool));
+ SVN_ERR(verify_locations(locations, expected, arb.paths, pool));
+
+ arb.deny = "/B/f";
+ apr_array_clear(revs);
+ for (i = 0; i <= youngest_rev; ++i)
+ APR_ARRAY_PUSH(revs, svn_revnum_t) = i;
+ apr_hash_clear(arb.paths);
+ SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,
+ authz_read_func, &arb, pool));
+ SVN_ERR(verify_locations(locations, expected, arb.paths, pool));
+
+ apr_array_clear(revs);
+ for (i = 6; i <= youngest_rev; ++i)
+ APR_ARRAY_PUSH(revs, svn_revnum_t) = i;
+ apr_hash_clear(arb.paths);
+ SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,
+ authz_read_func, &arb, pool));
+ SVN_ERR(verify_locations(locations, expected, arb.paths, pool));
+
+ APR_ARRAY_PUSH(revs, svn_revnum_t) = 0;
+ apr_hash_clear(arb.paths);
+ SVN_ERR(svn_repos_trace_node_locations(fs, &locations, "D/f", 10, revs,
+ authz_read_func, &arb, pool));
+ SVN_ERR(verify_locations(locations, expected, arb.paths, pool));
+
+ return SVN_NO_ERROR;
+}
+
/* The test table. */
struct svn_test_descriptor_t test_funcs[] =
@@ -2623,5 +2863,7 @@
"test issue 4060"),
SVN_TEST_OPTS_PASS(test_dump_r0_mergeinfo,
"test dumping with r0 mergeinfo"),
+ SVN_TEST_OPTS_PASS(trace_node_locations_authz,
+ "authz for svn_repos_trace_node_locations"),
SVN_TEST_NULL
};
diff --git a/win-tests.py b/win-tests.py
index 6b722de..a0b1dd9 100644
--- a/win-tests.py
+++ b/win-tests.py
@@ -466,6 +466,7 @@
self.httpd_config = os.path.join(self.root, 'httpd.conf')
self.httpd_users = os.path.join(self.root, 'users')
self.httpd_mime_types = os.path.join(self.root, 'mime.types')
+ self.httpd_groups = os.path.join(self.root, 'groups')
self.abs_builddir = abs_builddir
self.abs_objdir = abs_objdir
self.service_name = 'svn-test-httpd-' + str(httpd_port)
@@ -479,6 +480,7 @@
create_target_dir(self.root_dir)
self._create_users_file()
+ self._create_groups_file()
self._create_mime_types_file()
# Determine version.
@@ -520,6 +522,8 @@
if self.httpd_ver >= 2.2:
fp.write(self._sys_module('auth_basic_module', 'mod_auth_basic.so'))
fp.write(self._sys_module('authn_file_module', 'mod_authn_file.so'))
+ fp.write(self._sys_module('authz_groupfile_module', 'mod_authz_groupfile.so'))
+ fp.write(self._sys_module('authz_host_module', 'mod_authz_host.so'))
else:
fp.write(self._sys_module('auth_module', 'mod_auth.so'))
fp.write(self._sys_module('alias_module', 'mod_alias.so'))
@@ -533,6 +537,7 @@
# Define two locations for repositories
fp.write(self._svn_repo('repositories'))
fp.write(self._svn_repo('local_tmp'))
+ fp.write(self._svn_authz_repo())
# And two redirects for the redirect tests
fp.write('RedirectMatch permanent ^/svn-test-work/repositories/'
@@ -562,6 +567,17 @@
'jrandom', 'rayjandom'])
os.spawnv(os.P_WAIT, htpasswd, ['htpasswd.exe', '-mb', self.httpd_users,
'jconstant', 'rayjandom'])
+ os.spawnv(os.P_WAIT, htpasswd, ['htpasswd.exe', '-bp', self.httpd_users,
+ 'JRANDOM', 'rayjandom'])
+ os.spawnv(os.P_WAIT, htpasswd, ['htpasswd.exe', '-bp', self.httpd_users,
+ 'JCONSTANT', 'rayjandom'])
+
+ def _create_groups_file(self):
+ "Create groups for mod_authz_svn tests"
+ fp = open(self.httpd_groups, 'w')
+ fp.write('random: jrandom\n')
+ fp.write('constant: jconstant\n')
+ fp.close()
def _create_mime_types_file(self):
"Create empty mime.types file"
@@ -595,6 +611,153 @@
' Require valid-user\n' \
'</Location>\n'
+ def _svn_authz_repo(self):
+ local_tmp = os.path.join(self.abs_builddir,
+ CMDLINE_TEST_SCRIPT_NATIVE_PATH,
+ 'svn-test-work', 'local_tmp')
+ return \
+ '<Location /authz-test-work/anon>' + '\n' \
+ ' DAV svn' + '\n' \
+ ' SVNParentPath ' + local_tmp + '\n' \
+ ' AuthzSVNAccessFile ' + self._quote(self.authz_file) + '\n' \
+ ' SVNAdvertiseV2Protocol ' + self.httpv2_option + '\n' \
+ ' SVNListParentPath On' + '\n' \
+ ' <IfModule mod_authz_core.c>' + '\n' \
+ ' Require all granted' + '\n' \
+ ' </IfModule>' + '\n' \
+ ' <IfModule !mod_authz_core.c>' + '\n' \
+ ' Allow from all' + '\n' \
+ ' </IfModule>' + '\n' \
+ ' SVNPathAuthz ' + self.path_authz_option + '\n' \
+ '</Location>' + '\n' \
+ '<Location /authz-test-work/mixed>' + '\n' \
+ ' DAV svn' + '\n' \
+ ' SVNParentPath ' + local_tmp + '\n' \
+ ' AuthzSVNAccessFile ' + self._quote(self.authz_file) + '\n' \
+ ' SVNAdvertiseV2Protocol ' + self.httpv2_option + '\n' \
+ ' SVNListParentPath On' + '\n' \
+ ' AuthType Basic' + '\n' \
+ ' AuthName "Subversion Repository"' + '\n' \
+ ' AuthUserFile ' + self._quote(self.httpd_users) + '\n' \
+ ' Require valid-user' + '\n' \
+ ' Satisfy Any' + '\n' \
+ ' SVNPathAuthz ' + self.path_authz_option + '\n' \
+ '</Location>' + '\n' \
+ '<Location /authz-test-work/mixed-noauthwhenanon>' + '\n' \
+ ' DAV svn' + '\n' \
+ ' SVNParentPath ' + local_tmp + '\n' \
+ ' AuthzSVNAccessFile ' + self._quote(self.authz_file) + '\n' \
+ ' SVNAdvertiseV2Protocol ' + self.httpv2_option + '\n' \
+ ' SVNListParentPath On' + '\n' \
+ ' AuthType Basic' + '\n' \
+ ' AuthName "Subversion Repository"' + '\n' \
+ ' AuthUserFile ' + self._quote(self.httpd_users) + '\n' \
+ ' Require valid-user' + '\n' \
+ ' AuthzSVNNoAuthWhenAnonymousAllowed On' + '\n' \
+ ' SVNPathAuthz On' + '\n' \
+ '</Location>' + '\n' \
+ '<Location /authz-test-work/authn>' + '\n' \
+ ' DAV svn' + '\n' \
+ ' SVNParentPath ' + local_tmp + '\n' \
+ ' AuthzSVNAccessFile ' + self._quote(self.authz_file) + '\n' \
+ ' SVNAdvertiseV2Protocol ' + self.httpv2_option + '\n' \
+ ' SVNListParentPath On' + '\n' \
+ ' AuthType Basic' + '\n' \
+ ' AuthName "Subversion Repository"' + '\n' \
+ ' AuthUserFile ' + self._quote(self.httpd_users) + '\n' \
+ ' Require valid-user' + '\n' \
+ ' SVNPathAuthz ' + self.path_authz_option + '\n' \
+ '</Location>' + '\n' \
+ '<Location /authz-test-work/authn-anonoff>' + '\n' \
+ ' DAV svn' + '\n' \
+ ' SVNParentPath ' + local_tmp + '\n' \
+ ' AuthzSVNAccessFile ' + self._quote(self.authz_file) + '\n' \
+ ' SVNAdvertiseV2Protocol ' + self.httpv2_option + '\n' \
+ ' SVNListParentPath On' + '\n' \
+ ' AuthType Basic' + '\n' \
+ ' AuthName "Subversion Repository"' + '\n' \
+ ' AuthUserFile ' + self._quote(self.httpd_users) + '\n' \
+ ' Require valid-user' + '\n' \
+ ' AuthzSVNAnonymous Off' + '\n' \
+ ' SVNPathAuthz On' + '\n' \
+ '</Location>' + '\n' \
+ '<Location /authz-test-work/authn-lcuser>' + '\n' \
+ ' DAV svn' + '\n' \
+ ' SVNParentPath ' + local_tmp + '\n' \
+ ' AuthzSVNAccessFile ' + self._quote(self.authz_file) + '\n' \
+ ' SVNAdvertiseV2Protocol ' + self.httpv2_option + '\n' \
+ ' SVNListParentPath On' + '\n' \
+ ' AuthType Basic' + '\n' \
+ ' AuthName "Subversion Repository"' + '\n' \
+ ' AuthUserFile ' + self._quote(self.httpd_users) + '\n' \
+ ' Require valid-user' + '\n' \
+ ' AuthzForceUsernameCase Lower' + '\n' \
+ ' SVNPathAuthz ' + self.path_authz_option + '\n' \
+ '</Location>' + '\n' \
+ '<Location /authz-test-work/authn-lcuser>' + '\n' \
+ ' DAV svn' + '\n' \
+ ' SVNParentPath ' + local_tmp + '\n' \
+ ' AuthzSVNAccessFile ' + self._quote(self.authz_file) + '\n' \
+ ' SVNAdvertiseV2Protocol ' + self.httpv2_option + '\n' \
+ ' SVNListParentPath On' + '\n' \
+ ' AuthType Basic' + '\n' \
+ ' AuthName "Subversion Repository"' + '\n' \
+ ' AuthUserFile ' + self._quote(self.httpd_users) + '\n' \
+ ' Require valid-user' + '\n' \
+ ' AuthzForceUsernameCase Lower' + '\n' \
+ ' SVNPathAuthz ' + self.path_authz_option + '\n' \
+ '</Location>' + '\n' \
+ '<Location /authz-test-work/authn-group>' + '\n' \
+ ' DAV svn' + '\n' \
+ ' SVNParentPath ' + local_tmp + '\n' \
+ ' AuthzSVNAccessFile ' + self._quote(self.authz_file) + '\n' \
+ ' SVNAdvertiseV2Protocol ' + self.httpv2_option + '\n' \
+ ' SVNListParentPath On' + '\n' \
+ ' AuthType Basic' + '\n' \
+ ' AuthName "Subversion Repository"' + '\n' \
+ ' AuthUserFile ' + self._quote(self.httpd_users) + '\n' \
+ ' AuthGroupFile ' + self._quote(self.httpd_groups) + '\n' \
+ ' Require group random' + '\n' \
+ ' AuthzSVNAuthoritative Off' + '\n' \
+ ' SVNPathAuthz On' + '\n' \
+ '</Location>' + '\n' \
+ '<IfModule mod_authz_core.c>' + '\n' \
+ '<Location /authz-test-work/sallrany>' + '\n' \
+ ' DAV svn' + '\n' \
+ ' SVNParentPath ' + local_tmp + '\n' \
+ ' AuthzSVNAccessFile ' + self._quote(self.authz_file) + '\n' \
+ ' SVNAdvertiseV2Protocol ' + self.httpv2_option + '\n' \
+ ' SVNListParentPath On' + '\n' \
+ ' AuthType Basic' + '\n' \
+ ' AuthName "Subversion Repository"' + '\n' \
+ ' AuthUserFile ' + self._quote(self.httpd_users) + '\n' \
+ ' AuthzSendForbiddenOnFailure On' + '\n' \
+ ' Satisfy All' + '\n' \
+ ' <RequireAny>' + '\n' \
+ ' Require valid-user' + '\n' \
+ ' Require expr req(\'ALLOW\') == \'1\'' + '\n' \
+ ' </RequireAny>' + '\n' \
+ ' SVNPathAuthz ' + self.path_authz_option + '\n' \
+ '</Location>' + '\n' \
+ '<Location /authz-test-work/sallrall>'+ '\n' \
+ ' DAV svn' + '\n' \
+ ' SVNParentPath ' + local_tmp + '\n' \
+ ' AuthzSVNAccessFile ' + self._quote(self.authz_file) + '\n' \
+ ' SVNAdvertiseV2Protocol ' + self.httpv2_option + '\n' \
+ ' SVNListParentPath On' + '\n' \
+ ' AuthType Basic' + '\n' \
+ ' AuthName "Subversion Repository"' + '\n' \
+ ' AuthUserFile ' + self._quote(self.httpd_users) + '\n' \
+ ' AuthzSendForbiddenOnFailure On' + '\n' \
+ ' Satisfy All' + '\n' \
+ ' <RequireAll>' + '\n' \
+ ' Require valid-user' + '\n' \
+ ' Require expr req(\'ALLOW\') == \'1\'' + '\n' \
+ ' </RequireAll>' + '\n' \
+ ' SVNPathAuthz ' + self.path_authz_option + '\n' \
+ '</Location>' + '\n' \
+ '</IfModule>' + '\n' \
+
def start(self):
if self.service:
self._start_service()
@@ -728,6 +891,10 @@
log_file = os.path.join(abs_builddir, log)
fail_log_file = os.path.join(abs_builddir, faillog)
+ if run_httpd:
+ httpd_version = "%.1f" % daemon.httpd_ver
+ else:
+ httpd_version = None
th = run_tests.TestHarness(abs_srcdir, abs_builddir,
log_file,
fail_log_file,
@@ -736,7 +903,8 @@
cleanup, enable_sasl, parallel, config_file,
fsfs_sharding, fsfs_packing,
list_tests, svn_bin, mode_filter,
- milestone_filter)
+ milestone_filter,
+ httpd_version=httpd_version)
old_cwd = os.getcwd()
try:
os.chdir(abs_builddir)
