1 /*
2 * config_auth.c : authentication files in the user config area
3 *
4 * ====================================================================
5 * Licensed to the Apache Software Foundation (ASF) under one
6 * or more contributor license agreements. See the NOTICE file
7 * distributed with this work for additional information
8 * regarding copyright ownership. The ASF licenses this file
9 * to you under the Apache License, Version 2.0 (the
10 * "License"); you may not use this file except in compliance
11 * with the License. You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing,
16 * software distributed under the License is distributed on an
17 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
18 * KIND, either express or implied. See the License for the
19 * specific language governing permissions and limitations
20 * under the License.
21 * ====================================================================
22 */
23
24
25
26 #include "svn_dirent_uri.h"
27 #include "svn_hash.h"
28 #include "svn_io.h"
29 #include "svn_pools.h"
30 #include "config_impl.h"
31
32 #include "auth.h"
33
34 #include "svn_private_config.h"
35
36 #include "private/svn_auth_private.h"
37
38 /* Helper for svn_config_{read|write}_auth_data. Return a path to a
39 file within ~/.subversion/auth/ that holds CRED_KIND credentials
40 within REALMSTRING. If no path is available *PATH will be set to
41 NULL. */
42 svn_error_t *
svn_auth__file_path(const char ** path,const char * cred_kind,const char * realmstring,const char * config_dir,apr_pool_t * pool)43 svn_auth__file_path(const char **path,
44 const char *cred_kind,
45 const char *realmstring,
46 const char *config_dir,
47 apr_pool_t *pool)
48 {
49 const char *authdir_path, *hexname;
50 svn_checksum_t *checksum;
51
52 /* Construct the path to the directory containing the creds files,
53 e.g. "~/.subversion/auth/svn.simple". The last component is
54 simply the cred_kind. */
55 SVN_ERR(svn_config_get_user_config_path(&authdir_path, config_dir,
56 SVN_CONFIG__AUTH_SUBDIR, pool));
57 if (authdir_path)
58 {
59 authdir_path = svn_dirent_join(authdir_path, cred_kind, pool);
60
61 /* Construct the basename of the creds file. It's just the
62 realmstring converted into an md5 hex string. */
63 SVN_ERR(svn_checksum(&checksum, svn_checksum_md5, realmstring,
64 strlen(realmstring), pool));
65 hexname = svn_checksum_to_cstring(checksum, pool);
66
67 *path = svn_dirent_join(authdir_path, hexname, pool);
68 }
69 else
70 *path = NULL;
71
72 return SVN_NO_ERROR;
73 }
74
75
76 svn_error_t *
svn_config_read_auth_data(apr_hash_t ** hash,const char * cred_kind,const char * realmstring,const char * config_dir,apr_pool_t * pool)77 svn_config_read_auth_data(apr_hash_t **hash,
78 const char *cred_kind,
79 const char *realmstring,
80 const char *config_dir,
81 apr_pool_t *pool)
82 {
83 svn_node_kind_t kind;
84 const char *auth_path;
85
86 *hash = NULL;
87
88 SVN_ERR(svn_auth__file_path(&auth_path, cred_kind, realmstring, config_dir,
89 pool));
90 if (! auth_path)
91 return SVN_NO_ERROR;
92
93 SVN_ERR(svn_io_check_path(auth_path, &kind, pool));
94 if (kind == svn_node_file)
95 {
96 svn_stream_t *stream;
97 svn_string_t *stored_realm;
98
99 SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
100 _("Unable to open auth file for reading"));
101
102 *hash = apr_hash_make(pool);
103
104 SVN_ERR_W(svn_hash_read2(*hash, stream, SVN_HASH_TERMINATOR, pool),
105 apr_psprintf(pool, _("Error parsing '%s'"),
106 svn_dirent_local_style(auth_path, pool)));
107
108 stored_realm = svn_hash_gets(*hash, SVN_CONFIG_REALMSTRING_KEY);
109
110 if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0)
111 *hash = NULL; /* Hash collision, or somebody tampering with storage */
112
113 SVN_ERR(svn_stream_close(stream));
114 }
115
116 return SVN_NO_ERROR;
117 }
118
119
120 svn_error_t *
svn_config_write_auth_data(apr_hash_t * hash,const char * cred_kind,const char * realmstring,const char * config_dir,apr_pool_t * pool)121 svn_config_write_auth_data(apr_hash_t *hash,
122 const char *cred_kind,
123 const char *realmstring,
124 const char *config_dir,
125 apr_pool_t *pool)
126 {
127 apr_file_t *authfile = NULL;
128 svn_stream_t *stream;
129 const char *auth_path;
130
131 SVN_ERR(svn_auth__file_path(&auth_path, cred_kind, realmstring, config_dir,
132 pool));
133 if (! auth_path)
134 return svn_error_create(SVN_ERR_NO_AUTH_FILE_PATH, NULL,
135 _("Unable to locate auth file"));
136
137 /* Add the realmstring to the hash, so programs (or users) can
138 verify exactly which set of credentials this file holds. */
139 svn_hash_sets(hash, SVN_CONFIG_REALMSTRING_KEY,
140 svn_string_create(realmstring, pool));
141
142 SVN_ERR_W(svn_io_file_open(&authfile, auth_path,
143 (APR_WRITE | APR_CREATE | APR_TRUNCATE
144 | APR_BUFFERED),
145 APR_OS_DEFAULT, pool),
146 _("Unable to open auth file for writing"));
147
148 stream = svn_stream_from_aprfile2(authfile, FALSE, pool);
149 SVN_ERR_W(svn_hash_write2(hash, stream, SVN_HASH_TERMINATOR, pool),
150 apr_psprintf(pool, _("Error writing hash to '%s'"),
151 svn_dirent_local_style(auth_path, pool)));
152
153 SVN_ERR(svn_stream_close(stream));
154
155 /* To be nice, remove the realmstring from the hash again, just in
156 case the caller wants their hash unchanged. */
157 svn_hash_sets(hash, SVN_CONFIG_REALMSTRING_KEY, NULL);
158
159 return SVN_NO_ERROR;
160 }
161
162
163 svn_error_t *
svn_config_walk_auth_data(const char * config_dir,svn_config_auth_walk_func_t walk_func,void * walk_baton,apr_pool_t * scratch_pool)164 svn_config_walk_auth_data(const char *config_dir,
165 svn_config_auth_walk_func_t walk_func,
166 void *walk_baton,
167 apr_pool_t *scratch_pool)
168 {
169 int i;
170 apr_pool_t *iterpool;
171 svn_boolean_t finished = FALSE;
172 const char *cred_kinds[] =
173 {
174 SVN_AUTH_CRED_SIMPLE,
175 SVN_AUTH_CRED_USERNAME,
176 SVN_AUTH_CRED_SSL_CLIENT_CERT,
177 SVN_AUTH_CRED_SSL_CLIENT_CERT_PW,
178 SVN_AUTH_CRED_SSL_SERVER_TRUST,
179 NULL
180 };
181
182 iterpool = svn_pool_create(scratch_pool);
183 for (i = 0; cred_kinds[i]; i++)
184 {
185 const char *item_path;
186 const char *dir_path;
187 apr_hash_t *nodes;
188 svn_error_t *err;
189 apr_pool_t *itempool;
190 apr_hash_index_t *hi;
191
192 svn_pool_clear(iterpool);
193
194 if (finished)
195 break;
196
197 SVN_ERR(svn_auth__file_path(&item_path, cred_kinds[i], "!", config_dir,
198 iterpool));
199
200 dir_path = svn_dirent_dirname(item_path, iterpool);
201
202 err = svn_io_get_dirents3(&nodes, dir_path, TRUE, iterpool, iterpool);
203 if (err)
204 {
205 if (!APR_STATUS_IS_ENOENT(err->apr_err)
206 && !SVN__APR_STATUS_IS_ENOTDIR(err->apr_err))
207 return svn_error_trace(err);
208
209 svn_error_clear(err);
210 continue;
211 }
212
213 itempool = svn_pool_create(iterpool);
214 for (hi = apr_hash_first(iterpool, nodes); hi; hi = apr_hash_next(hi))
215 {
216 svn_io_dirent2_t *dirent = svn__apr_hash_index_val(hi);
217 svn_stream_t *stream;
218 apr_hash_t *creds_hash;
219 const svn_string_t *realm;
220 svn_boolean_t delete_file = FALSE;
221
222 if (finished)
223 break;
224
225 if (dirent->kind != svn_node_file)
226 continue;
227
228 svn_pool_clear(itempool);
229
230 item_path = svn_dirent_join(dir_path, svn__apr_hash_index_key(hi),
231 itempool);
232
233 err = svn_stream_open_readonly(&stream, item_path,
234 itempool, itempool);
235 if (err)
236 {
237 /* Ignore this file. There are no credentials in it anyway */
238 svn_error_clear(err);
239 continue;
240 }
241
242 creds_hash = apr_hash_make(itempool);
243 err = svn_hash_read2(creds_hash, stream,
244 SVN_HASH_TERMINATOR, itempool);
245 err = svn_error_compose_create(err, svn_stream_close(stream));
246 if (err)
247 {
248 /* Ignore this file. There are no credentials in it anyway */
249 svn_error_clear(err);
250 continue;
251 }
252
253 realm = svn_hash_gets(creds_hash, SVN_CONFIG_REALMSTRING_KEY);
254 if (! realm)
255 continue; /* Not an auth file */
256
257 err = walk_func(&delete_file, walk_baton, cred_kinds[i],
258 realm->data, creds_hash, itempool);
259 if (err && err->apr_err == SVN_ERR_CEASE_INVOCATION)
260 {
261 svn_error_clear(err);
262 err = SVN_NO_ERROR;
263 finished = TRUE;
264 }
265 SVN_ERR(err);
266
267 if (delete_file)
268 {
269 /* Delete the file on disk */
270 SVN_ERR(svn_io_remove_file2(item_path, TRUE, itempool));
271 }
272 }
273 }
274
275 svn_pool_destroy(iterpool);
276 return SVN_NO_ERROR;
277 }
278