svn commit: r1382028 - in /subversion/trunk/subversion: include/svn_config.h libsvn_subr/cmdline.c libsvn_subr/config_file.c

[cmpilato]

Author: cmpilato
Date: Fri Sep  7 13:53:05 2012
New Revision: 1382028

URL: http://svn.apache.org/viewvc?rev=1382028&view=rev
Log:
Finish issue #2410 ("Allow client to avoid SSL certificate prompts").
This adds a runtime configuration knob for explicitly enabling and
disabling the client certificate path prompt provider.

* subversion/include/svn_config.h
  (SVN_CONFIG_OPTION_SSL_CLIENT_CERT_FILE_PROMPT): New #define.

* subversion/libsvn_subr/config_file.c
  (svn_config_ensure): Add configuration templatry for the new
    'ssl-client-cert-file-prompt' option.

* subversion/libsvn_subr/cmdline.c
  (svn_cmdline_create_auth_baton): Check the runtime configuration to
    see if we're allowed to prompt for client certificate paths, and
    add the provider which does so only if that is, in fact, allowed.

NOTE: I don't know if "templatry" (used above) is a real word or not,
      but I rather like it.  -- cmpilato

Patch by: kfogel
          (Tweaked by me.)

Modified:
    subversion/trunk/subversion/include/svn_config.h
    subversion/trunk/subversion/libsvn_subr/cmdline.c
    subversion/trunk/subversion/libsvn_subr/config_file.c

Modified: subversion/trunk/subversion/include/svn_config.h
URL: 
http://svn.apache.org/viewvc/subversion/trunk/subversion/include/svn_config.h?rev=1382028&r1=1382027&r2=1382028&view=diff
==============================================================================
--- subversion/trunk/subversion/include/svn_config.h (original)
+++ subversion/trunk/subversion/include/svn_config.h Fri Sep  7 13:53:05 2012
@@ -92,6 +92,8 @@ typedef struct svn_config_t svn_config_t
 #define SVN_CONFIG_OPTION_PASSWORD_STORES           "password-stores"
 #define SVN_CONFIG_OPTION_KWALLET_WALLET            "kwallet-wallet"
 #define SVN_CONFIG_OPTION_KWALLET_SVN_APPLICATION_NAME_WITH_PID 
"kwallet-svn-application-name-with-pid"
+/** @since New in 1.8. */
+#define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_FILE_PROMPT 
"ssl-client-cert-file-prompt"
 /* The majority of options of the "auth" section
  * has been moved to SVN_CONFIG_CATEGORY_SERVERS. */
 #define SVN_CONFIG_SECTION_HELPERS              "helpers"

Modified: subversion/trunk/subversion/libsvn_subr/cmdline.c
URL: 
http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/cmdline.c?rev=1382028&r1=1382027&r2=1382028&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/cmdline.c (original)
+++ subversion/trunk/subversion/libsvn_subr/cmdline.c Fri Sep  7 13:53:05 2012
@@ -526,6 +526,13 @@ svn_cmdline_create_auth_baton(svn_auth_b
 
   if (non_interactive == FALSE)
     {
+      svn_boolean_t ssl_client_cert_file_prompt;
+
+      SVN_ERR(svn_config_get_bool(cfg, &ssl_client_cert_file_prompt,
+                                  SVN_CONFIG_SECTION_AUTH,
+                                  
SVN_CONFIG_OPTION_SSL_CLIENT_CERT_FILE_PROMPT,
+                                  FALSE));
+
       /* Two basic prompt providers: username/password, and just username. */
       svn_auth_get_simple_prompt_provider(&provider,
                                           svn_cmdline_auth_simple_prompt,
@@ -539,19 +546,23 @@ svn_cmdline_create_auth_baton(svn_auth_b
          2, /* retry limit */ pool);
       APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider;
 
-      /* Three ssl prompt providers, for server-certs, client-certs,
-         and client-cert-passphrases.  */
+      /* SSL prompt providers: server-certs and client-cert-passphrases.  */
       svn_auth_get_ssl_server_trust_prompt_provider
         (&provider, svn_cmdline_auth_ssl_server_trust_prompt, pb, pool);
       APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider;
 
-      svn_auth_get_ssl_client_cert_prompt_provider
-        (&provider, svn_cmdline_auth_ssl_client_cert_prompt, pb, 2, pool);
-      APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider;
-
       svn_auth_get_ssl_client_cert_pw_prompt_provider
         (&provider, svn_cmdline_auth_ssl_client_cert_pw_prompt, pb, 2, pool);
       APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider;
+
+      /* If configuration allows, add a provider for client-cert path
+         prompting, too. */
+      if (ssl_client_cert_file_prompt)
+        {
+          svn_auth_get_ssl_client_cert_prompt_provider
+            (&provider, svn_cmdline_auth_ssl_client_cert_prompt, pb, 2, pool);
+          APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider;
+        }
     }
   else if (trust_server_cert)
     {

Modified: subversion/trunk/subversion/libsvn_subr/config_file.c
URL: 
http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/config_file.c?rev=1382028&r1=1382027&r2=1382028&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/config_file.c (original)
+++ subversion/trunk/subversion/libsvn_subr/config_file.c Fri Sep  7 13:53:05 
2012
@@ -1034,6 +1034,13 @@ svn_config_ensure(const char *config_dir
         "# kwallet-svn-application-name-with-pid = yes"                      NL
 #endif
         "###"                                                                NL
+        "### Set ssl-client-cert-file-prompt to 'yes' to cause the client"   NL
+        "### to prompt for a path to a client cert file when the server"     NL
+        "### requests a client cert but no client cert file is found in the" NL
+        "### expected place (see the 'ssl-client-cert-file' option in the"   NL
+        "### 'servers' configuration file). Defaults to 'no'."               NL
+        "# ssl-client-cert-file-prompt = no"                                 NL
+        "###"                                                                NL
         "### The rest of the [auth] section in this file has been deprecated."
                                                                              NL
         "### Both 'store-passwords' and 'store-auth-creds' can now be"       NL