Tuesday, July 17, 2012

MySQL based authentication for SVN

Our company has been using SVN as it's primary source control system. In order to provide secure access to it's repository, SVN was configured to use HTTP based authentication using Apache server's WebDAV module (dav_svn in this case). With this configuration, a password file is created using htpasswd command, which consists of login credentials of all the users. Though it seems pretty straight forward, it has a some limitations that can't be avoided. One of such limitations is that there is no way the end users can change their passwords easily. The only option they have is to call the IT guys if they forget their passwords or the passwords initially assigned to them are really hard to remember.

We were hence decided to find some tool(s) to make end users life easier. During our research, we found that SVN can be authenticated using MySQL database. Since we already have a bug tracking tool using MySQL, our findings provided an additional benefit to the solution that we were looking for - we can have a Single Sign-on setup for SVN and a bug tracking tool.

Once we started digging up how to implement MySQL based authentication for SVN, we landed on a page on Rob Peck's blog. He shared his experience using mod_authnz_external, an Apache module, which allows authentication to be done using any script or program running on existing system. Such external script can be considered as a glue code, according to Rob. Based on his tutorial, we started setting up the environment to test our scenario as a proof of concept.

The configuration

A virtual machine instance was established with the following components;
  • Ubuntu Server 64-bit (version 11.10)
  • Apache (version 2.2.20)
  • MySQL (version 5.1.58)
  • SVN (version 1.6.12)
  • PHP (version 5.3.6)
In order to match our current configuration, SVN server was then configured to use HTTP based authentication. After that, the following steps were performed;

1. Installing and configuring mod_authnz_external

Instead of getting binaries from third party websites, source was compiled after downloading the latest version of the module (mod_authnz_external-3.2.6, at the time of writing this blog). Installation was done by following the step by step instructions from the site - http://code.google.com/p/mod-auth-external/wiki/Installation

2. Sample MySQL database

A sample database similar to shown below was created.  Password was not encrypted in order to make everything as simple as possible.

Figure 1: Sample Database

3. The glue code (PHP script)

Among various modes of mod_authnz_external, pipe mode uses pwauth format, where it passes the username and password to stdin separating each with a newline. It then uses exit codes to return back to Apache server, which can be used to determine if the login was valid or not. With this information, it is easy to write a script which takes username and password as inputs and then query them against the MySQL database to check if user exists or not and return the exit code accordingly.

Figure 2: PHP script talking to the database

4. Updating dav_svn.conf

The final step is to modify Apache's configuration file to talk to mod_authnz_external. However, in order keep everything simple, dav_svn.conf file was modified in our case. The detail on how to modify configuration file can be found at  - http://code.google.com/p/mod-auth-external/wiki/ConfigApache22

The sample dav_svn.conf looks like as below;
Figure 3: Configuring Apache to talk to mod_authnz_external
Now it's time to restart Apache and SVN starts authenticating using MySQL database.