Below is a small patch for those using x509 support - e.g. an apache
config as below to allow
access based on x509 certs. The reason for doing this is that
otherwise the strings shown become
very long and wieldy.
One item of note - in a lot of sites the x509 contains the email
address; in a lot of other
non x509 (e.g. htpasswd sites) the userid can be combined ith some
FQDN to become the user
their valid email address. Hence it may be useful to at some point add
an extra field, email
to the current interface.
See test case below.
Dw.
PATCH
Index: versioncontrol/svn_fs.py
===================================================================
--- versioncontrol/svn_fs.py (revision 6673)
+++ versioncontrol/svn_fs.py (working copy)
@@ -848,6 +848,15 @@
# we _hope_ it's UTF-8, but can't be 100% sure (#4321)
message = message and to_unicode(message, 'utf-8')
author = author and to_unicode(author, 'utf-8')
+
+ # If the author looks like an x509 Distingished Name (DN)
+ # then extract just the CN (Common Name). XX and emailAddress?
+ if author:
+ if author.find('/CN=') > -1:
+ author= author[author.find('/CN=')+4:];
+ if (author.find('/') > -1):
+ author= author[:author.find('/')]
+
_date = self._get_prop(core.SVN_PROP_REVISION_DATE)
if _date:
ts = core.svn_time_from_cstring(_date, self.pool()) /
1000000
Index: web/auth.py
===================================================================
--- web/auth.py (revision 6673)
+++ web/auth.py (working copy)
@@ -75,6 +75,18 @@
if self.ignore_case:
authname = authname.lower()
+ # If the author looks like an x509 Distingished Name (DN)
+ # then extract just the CN (Common Name). Note that we
+ # should not concat things like <emailAddress> as the
+ # very same name is also used for XS controls - and then
+ # becomes hard to enter from trac-admin.
+ #
+ if author:
+ if author.find('/CN=') > -1:
+ author= author[author.find('/CN=')+4:];
+ if (author.find('/') > -1):
+ author= author[:author.find('/')]
+
return authname
Apache Snippet:
SSLEngine on
SSLCertificateFile /xxx/server.pem
SSLCertificateKeyFile /xxx/server.key
# Chain for the server - not for client verification (though in this
simple
# case they _happen_ to be the same!).
SSLCACertificateChainFile /xxx/root.pem
SSLVerifyClient none
SSLVerifyDepth 3
Alias /trac/ "/xxx/trac/"
<Directory "/xxx/trac">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
# Insist on a valid SSL certificate, issued by
# *any* of our CA's.
SSLCACertificateFile /xxx/root.pem
SSLVerifyClient require
SSLOptions StdEnvVars ExportCertData FakeBasicAuth
# SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Org" and
....
# mod_python speeds things up considerably
SetHandler mod_python
PythonHandler trac.web.modpython_frontend
PythonOption TracEnvParentDir "/var/trac"
PythonOption TracUriRoot "/trac"
# Fake up authentication so that trac thinks we're doing
# basic auth.
#
AuthType Basic
AuthName "my track"
# We're to lazy to create a 'htpasswd' file as generally
# done with FakeBasicAuth - hence we use anon to allow
# any valid cert in. Trac will do the right thing.
#
AuthBasicProvider anon
Anonymous "*"
Require valid-user
# further authorization is handled internally by trac
</Directory>
<Location "/svn">
DAV svn
SVNParentPath /xxx/svn
SSLCACertificateFile /xxx/root.pem
SSLVerifyClient require
# SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Org..."
# Pull authentication information in as to allow svn to use the
CN
in its logs.
#
SSLOptions StdEnvVars ExportCertData FakeBasicAuth
AuthType Basic
AuthName "my svn"
# We do not want to keep an htaccess list with the DN's - so we
let
anyone
# authenticated in
AuthBasicProvider anon
Anonymous "*"
Require valid-user
</Location>
Snippet to create a test CA
# Create a CA
openssl req -new -nodes -batch -x509 \
-days 10 -subj '/CN=Da Root/O=Trac testing/' -set_serial 1 \
-keyout root.key -out root.pem
# Create a certificate request for the trac server
openssl req -new -nodes -batch \
-days 9 -subj "/CN=localhost/O=Keepers of Servers/" \
-keyout server.key -out server.req -batch
# And get it signed by our root authority.
#
openssl x509 -text -req \
-CA root.pem -CAkey root.key \
-set_serial 2 -in server.req -out server.pem
# Create a certificate request for 'Fred' the test user
openssl req -new -nodes -batch \
-days 9 -subj "/CN=Fred the Test User/O=The Test Dept/" \
-keyout fred.key -out fred.req -batch
# And get it signed by our root authority.
#
openssl x509 -text -req \
-CA root.pem -CAkey root.key \
-set_serial 2 -in fred.req -out fred.pem
# And make one for easy import into your browser
cat fred.key fred.pem > fred-browser.pem
openssl pkcs12 -export -out fred.p12 \
-in fred.pem -inkey fred.key -CAfile root.pem
rm server.req fred.req
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac
Development" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
