subversion

Goal

1. Subversion for multiple repositories
2. Authorized by Apache2 mod_auth_pgsql

Profile

OS	Debian Lenny
Hostname	192.168.1.100
Svn directory	/opt/svn
Repositories	/opt/svn/repo1 /opt/svn/repo2
PostgreSQL database for authentication	svn
PostgreSQL user	svn

    $ - General user
    # - root

Install Debian packages

    # apt-get install apache2  libapache2-mod-auth-pgsql libapache2-svn\
       postgresql postgresql-contrib subversion cert-ssl

Setup PostgreSQL

1. Create database and user for authentication

• Create database and user

    $ sudo su postgres
    postgres $ createdb svn
    CREATE DATABASE
    postgres $ createuser svn
    Shall the new role be a superuser? (y/n) n
    Shall the new user be allowed to create databases? (y/n) n
    Shall the new user be allowed to create more new users? (y/n) n
    CREATE USER

• Load pgcrypto to encrypt passwords

    postgres $ psql -d svn < /usr/share/postgresql/8.3/contrib/pgcrypto.sql 
    SET
    CREATE FUNCTION
    CREATE FUNCTION
    CREATE FUNCTION
    ...

• Create tables

    postgres $ psql -d svn
    svn  =# 

-- user table
    CREATE TABLE users (
        user_id SERIAL PRIMARY KEY,
        username VARCAHR(32) NOT NULL,
        passwd TEXT NOT NULL,
        email VARCHAR(255)
        );
    CREATE INDEX idx_users ON users (username);
    GRANT SELECT ON users TO svn;
-- group table
    CREATE TABLE groups (
        group_id SERIAL PRIMARY KEY,
        username VARCHAR(32) NOT NULL,
        memberof VARCHAR(64) NOT NULL    -- group name
    );
    CREATE INDEX idx_groups ON groups (username, memberof);
    GRANT SELECT ON groups TO svn;
-- log table
    CREATE TABLE logs (
        logs_id SERIAL PRIMARY KEY,
        uname VARCHAR(32), 
        time TIMESTAMP(8), 
        uri VARCHAR(512),
        ip INET
    );
    CREATE INDEX idx_logs ON logs (uname, time);
    GRANT INSERT ON logs TO svn;

• Change database password for user 'svn'

    ALTER USER svn WITH ENCRYPTED PASSWORD '123456';

Create subversion repositories

    # mkdir /opt/svn/
    # svnadmin create /opt/svn/repo1
    # svnadmin create /opt/svn/repo2

Then change their ownership

    # chown -R www-data:www-data /opt/svn

Setup Apache 2 and WebDAV

• Enable Apache2 modules

    # a2enmod dav
    # a2enmod dav_svn
    # a2enmod 000_auth_pgsql

Setup SSL

• Enable ssl site

    # a2ensite default-ssl

• Enable ssl module

    # a2enmod ssl

• Create self-signed certificates

If you install the ssl-cert package, a self-signed certificate will be automatically created using the hostname currently configured on your computer. You can recreate that certificate (e.g. after you have changed /etc/hosts or DNS to give the correct hostname) as user root with:

    # make-ssl-cert generate-default-snakeoil --force-overwrite

Settup authentication with mod_auth_pgsql

• Allow connections for user subversion to PostgreSQL database subversion. Add this line to /etc/postgresql/8.3/main/pg_hba.conf:

host    svn  svn  127.0.0.1         255.255.255.255   md5

Be sure, to put it before line

host    all         all         127.0.0.1         255.255.255.255   ident sameuser

• Modify /etc/apache2/mods-available/dav_svn.conf for authentication

<Location /svn>
    DAV svn
    SVNParentPath /opt/svn
    
    AuthType Basic
    AuthName "Subversion Repository"

    Auth_PG_host localhost
    Auth_PG_port 5432
    Auth_PG_database svn
    Auth_PG_user svn
    Auth_PG_pwd 123456
    Auth_PG_pwd_table users
    Auth_PG_uid_field username
    Auth_PG_pwd_field passwd
    Auth_PG_grp_table groups
    Auth_PG_grp_group_field memberof
    Auth_PG_grp_user_field username
    Auth_PG_cache_passwords on
    Auth_PG_log_table logs
    Auth_PG_log_uname_field uname
    Auth_PG_log_date_field time
    Auth_PG_log_uri_field uri
    Auth_PG_log_addrs_field ip

    AuthzSVNAccessFile /etc/apache2/dav_svn.authz

    Require valid-user

    SSLRequireSSL
</Location>

• Create subversion users

    $ sudo su postgres
    postgres $ psql -d svn
    svn =#

-- User 'test1', for 'repo1'
    INSERT INTO users (username, passwd, email) 
        VALUES ('test1', crypt('123456', gen_salt('md5'), 'test1@localhost');
    INSERT INTO groups (username, memberof)
        VALUES('test1', 'testgrp');
-- User 'test2', for 'repo2'
    INSERT INTO users (username, passwd, email) 
        VALUES ('test2', crypt('abcdef', gen_salt('md5'), 'test2@localhost');
    INSERT INTO groups (username, memberof)
        VALUES('test2', 'testgrp');

• Create path-based access rule file /etc/apache2/dav_svn.authz

    # vim /etc/apache2/dav_svn.authz

[groups]
testgrp=test1,test2

# User 'test1' has a full access to repository 'repo1', 
# and it is not accessable for others
[repo1:/]
*=
test1=rw

# All members in group 'testgrp' could read repository 'repo2', 
# user 'test2' has a full access previlege.
[repo2:/]
@testgrp=r
test2=rw

• Restart Apache2

    # /etc/init.d/apache2 restart

Complete

Now, these two repositories could be accessed via

• https://192.168.1.100/svn/repo1
• https://192.168.1.100/svn/repo2