WebSVN user access control

What I wanted

So I didn’t have our subversion configured with HTTP+SVN it was only configured for local access using the svn commands and also allowing specified IP’s to connect to the subversion process port to use SVN clients.  WebSVN was requested by our programmers not to use to add content or edit the repos but just for viewing for people who may want to view the code to submit bug reports and such.  However with multiple repos, the users didn’t want other subversion users to be able to view their code so I had to use the SVN access file to restrict who could “see” what.

To resolve this, I added Apache authorization on the websvn site, I created a redirect from http:// to https:// so that usernames and passwords wouldn’t be in clear text and I used the svn access file to allow access to the repos.

Note: With the way I did this, users must be authenticated to even view the listing of the repositories.  There is a SatisfyAny command you can use in Apache to allow the listing of the repositories but we didn’t need that.

Installation

* Download it from http://websvn.tigris.org/servlets/ProjectDocumentList;jsessionid=24F17B3F5279F7DE3BB39F064A2C4A03

* Extract the archive into any directory within your Apache DocumentRoot

Configuration

config.php

Under the installation directory for WebSVN in the includes folder copy the file distconfig.php to config.php and edit as follows:

Add the following lines, one for each repository:

$config->addRepository(‘Repo Display Name’, ‘file:///path/to/svn/repositories/reponame’);

Modify the following line to include the path to the subversion repositories:

$config->parentPath(“/path/to/svn/repositories”);

Choose the template file you would like to use:

$config->setTemplatePath(“$locwebsvnreal/templates/calm/”);

Tell WebSVN to use the Subversion Access file to restrict access on repository viewing through WebSVN.  $config->useAuthenticationFile(‘/path/to/svn_access’);

Subversion Access File

Located at /path/to/svn_access. The access file below will allow every authenticated user read access for a listing of all the repos.  By selecting repo1, user1 and user2 will be able to view the entire repo1 but user3 and user4 cannot.

[groups]

admins = admin1, admin2, admin3

[/:/]

@admins = rw

* = r

[repo1:/]

@admins = r

user1 = r

user2 = r

[repo2:/]

@admins = r

user3 = r

user4 = r

Apache Subversion.conf

Add the following location directive to Apache’s subversion.conf file.

Add the following:

<Location “/websvn/”>
RewriteEngine on
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}/%{REQUEST_URI} [L]
# Require SSL connection for password protection.
SSLOptions +StrictRequire
SSLRequireSSL
# Allow access to users from a local file on the web server created with htpasswd or users from our AD
AuthBasicProvider file ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthUserFile /path/to/htpasswd/file
AuthName “Restricted Access”
AuthLDAPURL “ldap://domaincontroller.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)” NONE
AuthLDAPBindDN “authorizebindldapuser@example.com”
AuthLDAPBindPassword “bindusers password”
Require valid-user
</Location>

NOTE: If we were serving our subversion repository via HTTP or HTTPS we would need a section in Apache like the following. You would need these options to configure HTTP(S)+SVN access

<Location “/svn”>

DAV svn

SatisfyAny

SVNParentPath /path/to/svn/repositories

SVNListParentPath on

# Our access control policy SVNPathAuthz on

AuthzSVNAccessFile /path/to/svn_access

</Location>


Advertisements

Install WebSVN

* Download it from http://websvn.tigris.org/servlets/ProjectDocumentList;jsessionid=24F17B3F5279F7DE3BB39F064A2C4A03

* Extract the archive into any directory within your Apache DocumentRoot

* In the “includes” directory of the extracted WebSVN directory, edit the distconfig.inc file and add the following lines:

$config->parentPath("/svn/repos");
$config->setTemplatePath("$locwebsvnreal/templates/BlueGrey/");

* Save the file and then rename it to config.inc

*Open the URI http://servername.com/WebSVN