7/21/2009

Version Control Using SVN + Apache

  Version Control is one of the 3 cornerstones (the other two are: Unit Testing and Project Automation) in modern software development. SVN is an open source version control system that is widely used in open source community and many other companies.

  To secure your SVN environment, you should configure the Authentication and Authorization options. For networked SVN, there are two ways to talk to SVN server - Svnserve protocol or Apache protocol:
- Svnserve protocol can leverage SSH to authenticate SVN user, so you can use Unix user account to access SVN repository. But SSH is only popular in *nix world, not well supported in Windows world.
- Apache has a Windows Authentication module that can be used to talk with SVN repository data files securely. Windows Authentication is an AD based system and very popular in windows based enterprise environment.

  Here I will show how to configure Windows Authentication mechansim in Apache based SVN environment. You are supposed to be familiar with SVN concepts, architecture and common command usage.

1. Install Software Component

- SVN + Apache
1) Download and install the upper package.
2) Suppose you install it to $SvnServRoot, then Apache Httpd is located at $SvnServRoot\Httpd.
3) Both SvnServe and Httpd will run as Windows Service after installation.
4) Use cmd:"svnadmin create repo" to create a svn repository called "repo" under SVN's root directory. (the root directory is specified when starting SvnServe using "-r" option)
5) Use cmd:"svn import HelloWorld.txt svn://server_name/repo/HelloWorld.txt" to add a sample txt file into svn.

- SSPI Apahce Module
1) Download the sspi zip file and unzip
2) Copy bin\mod_auth_sspi.so to $SvnServRoot\Httpd\Modules

2. Configure SVN DAV

1). Load svn related modules.
In $SvnServRoot\Httpd\Conf\httpd.conf, ensure the following two lines are added:
# Subversion modules
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
2). Set URI -> SVN Repository mapping.
Suppose you want people to access your svn by the uri - http://server_name/svn.

If you just have one repository that is located at $svnroot\your_repo, add the following to $SvnServRoot\Httpd\Conf\httpd.conf:
<Location /svn>
DAV svn
SVNPath $\svnroot\your_repo
<Location>
If you have multiple repositories that are all located under $\svnroot\repo_root, add the following to $SvnServRoot\Httpd\Conf\httpd.conf:
<Location /svn>
 DAV svn
SVNListParentPath on
SVNParentPath $svnroot\repo_root
<Location>
3) test
Now restart your Apache windows service, try browsing http://server_name/svn. If all is ok, you will see the HelloWorld.txt file is listed in the browser.

You can also try cmd:"svn mkdir http://server_name/svn/sandbox - m 'message text'" to see whether Apache Httpd based SVN Web DAV works.

3. Configure SSPI

1). In $SvnServRoot\Httpd\Conf\httpd.conf, ensure the following line is added:
# Windows Authentication module
LoadModule sspi_auth_module   modules/mod_auth_sspi.so
Make sure this directive is ahead of those that loads svn web dav moduels.

2) In the Location section of httpd.conf, specify SSPI parameters as follows:
<Location /svn>
# SSPI auth module parameter
AuthName "Subversion Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain DOMAIN      # set the domain to authorize against
SSPIOmitDomain On      # keep domain name in userid string
SSPIOfferBasic On      # let non-IE clients authenticate
SSPIBasicPreferred Off # should basic authentication have higher priority
SSPIUsernameCase lower # should convert username into lower case

# require the SVN Users group
Require group "DOMAIN\Subversion Users"
Require user "YOUR_DOMAIN\your_name"
</Location>
NOTE:
- If no Require directive is specified, any user can access the svn repository. (the same effect as no authentication at all)
- "Require valid-user" directive grants access to any valid user that log into his machine using AD controlled account.
- You can use AuthzSVNAccessFile directive to specify authorization rule file in Location section.

3). Test
- Restart Apache HttpD windows service
- Try using your AD controlled windows account and local machine account to access http://server_name/svn/

4. Configure Apahche SSL

1) In $SvnServRoot\Httpd\Conf\httpd.conf, uncomment the following two lines:
#LoadModule ssl_module modules/mod_ssl.so
#Include conf/extra/httpd-ssl.conf

2). Create SSL Certificates
Run following commands under dir $SvnServRoot\Httpd\Conf\:
..\bin\openssl.exe req -config openssl.cnf -new -out my-server.csr
..\bin\openssl.exe rsa -in privkey.pem -out server.key
..\bin\openssl.exe req -new -key server.key -config openssl.cnf -out server.csr
..\bin\openssl.exe x509 -in server.csr -out server.crt -req -signkey server.key -days 10000

Then make suer the following files are created:
privkey.pem
server.crt
server.csr
server.der.crt
server.key

3). Modify $SvnServRoot\Httpd\Conf\Extra\httpd-ssl.conf
There are some hardcoded file path in this configuration file, replace them with the location where SSL certificate files are stored (It's "$SvnServRoot\Httpd\Conf\" in the upper case).

4). Test
Restart Apache Httpd windows service
Try browsing https://server_name/svn
Try cmd: "svn mkdir https://server_name/svn/sandbox/trunk"

NOTE:
- IE may not be able to connect to https://server_name/svn because it uses "AES128-SHA " algorithm, which is very weak. Firefox 3.5 works well in my test.
- Since the ssl certificate is self-created (not authenticated by Authority), you must accept it explicitly when first access the site using https protocol.
- Http and https have the same interface, but http use plain text to send your user name and password to server. Https is more secure especially in WAN/Internet environment.
- If you want to allow anonymous to read but only authenticated users to write (just the same as most open source projects hosting sites), you can add
<LimitExcept GET PROPFIND OPTIONS REPORT>
  Require valid-user
</LimitExcept>
to Location section in the httpd.conf file
- You can add "SSLRequireSSL" directive to Location section in httpd.conf file to deny non-https access to svn file repository.

[Reference]
1. Windows Authentication with Subversion on Windows
2. Apache SSL Setp by Step Guide
3. SVN + Apache Configuration
4. http://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
5. SVN for Windows
6. Apache Based SVN Server
7. SVN Quick Guide
8. Configuring Windows Authentication with Apache 2.2.x and Subversion

No comments: