1/* 2 * config_auth.c : authentication files in the user config area 3 * 4 * ==================================================================== 5 * Licensed to the Apache Software Foundation (ASF) under one 6 * or more contributor license agreements. See the NOTICE file 7 * distributed with this work for additional information 8 * regarding copyright ownership. The ASF licenses this file 9 * to you under the Apache License, Version 2.0 (the 10 * "License"); you may not use this file except in compliance 11 * with the License. You may obtain a copy of the License at 12 * 13 * http://www.apache.org/licenses/LICENSE-2.0 14 * 15 * Unless required by applicable law or agreed to in writing, 16 * software distributed under the License is distributed on an 17 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 18 * KIND, either express or implied. See the License for the 19 * specific language governing permissions and limitations 20 * under the License. 21 * ==================================================================== 22 */ 23 24 25 26#include "svn_dirent_uri.h" 27#include "svn_hash.h" 28#include "svn_io.h" 29#include "svn_pools.h" 30#include "config_impl.h" 31 32#include "auth.h" 33 34#include "svn_private_config.h" 35 36#include "private/svn_auth_private.h" 37 38/* Helper for svn_config_{read|write}_auth_data. Return a path to a 39 file within ~/.subversion/auth/ that holds CRED_KIND credentials 40 within REALMSTRING. If no path is available *PATH will be set to 41 NULL. */ 42svn_error_t * 43svn_auth__file_path(const char **path, 44 const char *cred_kind, 45 const char *realmstring, 46 const char *config_dir, 47 apr_pool_t *pool) 48{ 49 const char *authdir_path, *hexname; 50 svn_checksum_t *checksum; 51 52 /* Construct the path to the directory containing the creds files, 53 e.g. "~/.subversion/auth/svn.simple". The last component is 54 simply the cred_kind. */ 55 SVN_ERR(svn_config_get_user_config_path(&authdir_path, config_dir, 56 SVN_CONFIG__AUTH_SUBDIR, pool)); 57 if (authdir_path) 58 { 59 authdir_path = svn_dirent_join(authdir_path, cred_kind, pool); 60 61 /* Construct the basename of the creds file. It's just the 62 realmstring converted into an md5 hex string. */ 63 SVN_ERR(svn_checksum(&checksum, svn_checksum_md5, realmstring, 64 strlen(realmstring), pool)); 65 hexname = svn_checksum_to_cstring(checksum, pool); 66 67 *path = svn_dirent_join(authdir_path, hexname, pool); 68 } 69 else 70 *path = NULL; 71 72 return SVN_NO_ERROR; 73} 74 75 76svn_error_t * 77svn_config_read_auth_data(apr_hash_t **hash, 78 const char *cred_kind, 79 const char *realmstring, 80 const char *config_dir, 81 apr_pool_t *pool) 82{ 83 svn_node_kind_t kind; 84 const char *auth_path; 85 86 *hash = NULL; 87 88 SVN_ERR(svn_auth__file_path(&auth_path, cred_kind, realmstring, config_dir, 89 pool)); 90 if (! auth_path) 91 return SVN_NO_ERROR; 92 93 SVN_ERR(svn_io_check_path(auth_path, &kind, pool)); 94 if (kind == svn_node_file) 95 { 96 svn_stream_t *stream; 97 svn_string_t *stored_realm; 98 99 SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool), 100 _("Unable to open auth file for reading")); 101 102 *hash = apr_hash_make(pool); 103 104 SVN_ERR_W(svn_hash_read2(*hash, stream, SVN_HASH_TERMINATOR, pool), 105 apr_psprintf(pool, _("Error parsing '%s'"), 106 svn_dirent_local_style(auth_path, pool))); 107 108 stored_realm = svn_hash_gets(*hash, SVN_CONFIG_REALMSTRING_KEY); 109 110 if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0) 111 *hash = NULL; /* Hash collision, or somebody tampering with storage */ 112 113 SVN_ERR(svn_stream_close(stream)); 114 } 115 116 return SVN_NO_ERROR; 117} 118 119 120svn_error_t * 121svn_config_write_auth_data(apr_hash_t *hash, 122 const char *cred_kind, 123 const char *realmstring, 124 const char *config_dir, 125 apr_pool_t *pool) 126{ 127 apr_file_t *authfile = NULL; 128 svn_stream_t *stream; 129 const char *auth_path; 130 131 SVN_ERR(svn_auth__file_path(&auth_path, cred_kind, realmstring, config_dir, 132 pool)); 133 if (! auth_path) 134 return svn_error_create(SVN_ERR_NO_AUTH_FILE_PATH, NULL, 135 _("Unable to locate auth file")); 136 137 /* Add the realmstring to the hash, so programs (or users) can 138 verify exactly which set of credentials this file holds. */ 139 svn_hash_sets(hash, SVN_CONFIG_REALMSTRING_KEY, 140 svn_string_create(realmstring, pool)); 141 142 SVN_ERR_W(svn_io_file_open(&authfile, auth_path, 143 (APR_WRITE | APR_CREATE | APR_TRUNCATE 144 | APR_BUFFERED), 145 APR_OS_DEFAULT, pool), 146 _("Unable to open auth file for writing")); 147 148 stream = svn_stream_from_aprfile2(authfile, FALSE, pool); 149 SVN_ERR_W(svn_hash_write2(hash, stream, SVN_HASH_TERMINATOR, pool), 150 apr_psprintf(pool, _("Error writing hash to '%s'"), 151 svn_dirent_local_style(auth_path, pool))); 152 153 SVN_ERR(svn_stream_close(stream)); 154 155 /* To be nice, remove the realmstring from the hash again, just in 156 case the caller wants their hash unchanged. */ 157 svn_hash_sets(hash, SVN_CONFIG_REALMSTRING_KEY, NULL); 158 159 return SVN_NO_ERROR; 160} 161 162 163svn_error_t * 164svn_config_walk_auth_data(const char *config_dir, 165 svn_config_auth_walk_func_t walk_func, 166 void *walk_baton, 167 apr_pool_t *scratch_pool) 168{ 169 int i; 170 apr_pool_t *iterpool; 171 svn_boolean_t finished = FALSE; 172 const char *cred_kinds[] = 173 { 174 SVN_AUTH_CRED_SIMPLE, 175 SVN_AUTH_CRED_USERNAME, 176 SVN_AUTH_CRED_SSL_CLIENT_CERT, 177 SVN_AUTH_CRED_SSL_CLIENT_CERT_PW, 178 SVN_AUTH_CRED_SSL_SERVER_TRUST, 179 NULL 180 }; 181 182 iterpool = svn_pool_create(scratch_pool); 183 for (i = 0; cred_kinds[i]; i++) 184 { 185 const char *item_path; 186 const char *dir_path; 187 apr_hash_t *nodes; 188 svn_error_t *err; 189 apr_pool_t *itempool; 190 apr_hash_index_t *hi; 191 192 svn_pool_clear(iterpool); 193 194 if (finished) 195 break; 196 197 SVN_ERR(svn_auth__file_path(&item_path, cred_kinds[i], "!", config_dir, 198 iterpool)); 199 200 dir_path = svn_dirent_dirname(item_path, iterpool); 201 202 err = svn_io_get_dirents3(&nodes, dir_path, TRUE, iterpool, iterpool); 203 if (err) 204 { 205 if (!APR_STATUS_IS_ENOENT(err->apr_err) 206 && !SVN__APR_STATUS_IS_ENOTDIR(err->apr_err)) 207 return svn_error_trace(err); 208 209 svn_error_clear(err); 210 continue; 211 } 212 213 itempool = svn_pool_create(iterpool); 214 for (hi = apr_hash_first(iterpool, nodes); hi; hi = apr_hash_next(hi)) 215 { 216 svn_io_dirent2_t *dirent = svn__apr_hash_index_val(hi); 217 svn_stream_t *stream; 218 apr_hash_t *creds_hash; 219 const svn_string_t *realm; 220 svn_boolean_t delete_file = FALSE; 221 222 if (finished) 223 break; 224 225 if (dirent->kind != svn_node_file) 226 continue; 227 228 svn_pool_clear(itempool); 229 230 item_path = svn_dirent_join(dir_path, svn__apr_hash_index_key(hi), 231 itempool); 232 233 err = svn_stream_open_readonly(&stream, item_path, 234 itempool, itempool); 235 if (err) 236 { 237 /* Ignore this file. There are no credentials in it anyway */ 238 svn_error_clear(err); 239 continue; 240 } 241 242 creds_hash = apr_hash_make(itempool); 243 err = svn_hash_read2(creds_hash, stream, 244 SVN_HASH_TERMINATOR, itempool); 245 err = svn_error_compose_create(err, svn_stream_close(stream)); 246 if (err) 247 { 248 /* Ignore this file. There are no credentials in it anyway */ 249 svn_error_clear(err); 250 continue; 251 } 252 253 realm = svn_hash_gets(creds_hash, SVN_CONFIG_REALMSTRING_KEY); 254 if (! realm) 255 continue; /* Not an auth file */ 256 257 err = walk_func(&delete_file, walk_baton, cred_kinds[i], 258 realm->data, creds_hash, itempool); 259 if (err && err->apr_err == SVN_ERR_CEASE_INVOCATION) 260 { 261 svn_error_clear(err); 262 err = SVN_NO_ERROR; 263 finished = TRUE; 264 } 265 SVN_ERR(err); 266 267 if (delete_file) 268 { 269 /* Delete the file on disk */ 270 SVN_ERR(svn_io_remove_file2(item_path, TRUE, itempool)); 271 } 272 } 273 } 274 275 svn_pool_destroy(iterpool); 276 return SVN_NO_ERROR; 277} 278