SVN: Restricting Access

 

MPG

Uniform Server 5.0-Nano.
Subversion (SVN)

Restring Access

With the current configuration putting SVN on-line means anyone can access and modify your subversion repositories. In terms of data loss this is not an issue, all modification to a repository are captured and can be reverted.

That said it’s a good idea to restrict access to individuals who are allowed to commit to a repository. Your project data may be particularly sensitive in this scenario restrict access and encrypt all transaction.

This page covers the above scenarios.

Password file

First requirement is to create a password file containing a list of names and passwords for all users allowed access to repositories.

UniServer has a simple convention all password files are contained in folder UniServer\htpasswd this contains sub-folders that match the path to the folder being protected.

Finally inside this folder is the password file .htpasswd.

  • Create the folder C:\a_svn\UniServer\htpasswd\svn
  • Copy an existing .htpasswd password file to the above folder. Windows is a pain if a file has no name!  
  • Edit the file copied. Add name and passwords pairs accordingly, example on right:
  mike:root  
  john:123
  fred:pas123  

Note: All the following examples use this file.

Top

Basic Authentication

Basic authentication is very easy to set-up, its not indented to be secure but more of a deterrent to prevent casual users modifying repositories. This basic configuration will be secured later using SSL.

Note: Passwords and data can be sniffed and access gained.

Apache configuration

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf Add the four lines as shown to the location block.

<location /svn>
 DAV svn
 SVNListParentPath on
 SVNParentPath C:/a_svn/UniServer/svn

 AuthType Basic
 AuthName "Subversion repositories"
 AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
 Require valid-user
</location>
  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file
  • Require valid-user - Informs Apache all users must supply a name and password.

Test 1

Browser:

  • Restart servers
  • Type into browser
    • Either http://localhost/svn/
    • Or http://localhost/svn/myproject/
  • Challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • You can now browse the repository

  

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • In bookmarks click on http://localhost/svn/myproject
  • Challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • You can now browse the repository
  • Or commit any changes

Note: All repositories are protected.

Top

Basic Authentication - Less Draconian

The above is draconian, only authorised users can view the repository. Generally for an open source project you want users to have the ability to brows a repository and download working copies. Only developers have the additional capability to commit (write) to a repository.

Selectively target

Replace the above line Require valid-user with this block of code. The line has been wrapped within a LimitExcept directive. This targets any requests other than a read and forces authentication.

# For any operations other than these, require an authenticated user.
# Hence this block limits write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:

<location /svn>
 DAV svn
 SVNListParentPath on
 SVNParentPath C:/a_svn/UniServer/svn

 AuthType Basic
 AuthName "Subversion repositories"
 AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd

# For any operations other than these, require an authenticated user.
# Hence this block limits write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>

</location>
  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file


  • <LimitExcept></LimitExcept> Separate Require valid-user and target write requests.
  • Require valid-user - Informs Apache all users must supply a name and password.

Top

Test 2

Browser:

  • Restart servers
  • Type into browser
    • Either http://localhost/svn/
    • Or http://localhost/svn/myproject/
  • User can brows repository.

  

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • In bookmarks click on http://localhost/svn/myproject
  • Can browse repository and create a new working copy.
  • Make a change in the working copy and commit
  • Will be challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • After initial authorisation you will not be challenged again during this connection..

Top

Basic Authentication + SSL

I have show how easy it is to set-up basic authentication and securing this with SSL is just as easy, only requires the addition of a single.

Sounds to good to be true! Well yes because you do require a server certificate. If you have not already created a server certificate do so now as follows:

  • Left or right mouse click on UniTray Icon
  • Mouse-over Advanced and click Server Certificate and key Generator
  • Press enter at all prompts to accept the default values.
  • Restart servers.

Apache configuration

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf Add add single line as shown:

<location /svn>
 DAV svn
 SVNListParentPath on
 SVNParentPath C:/a_svn/UniServer/svn

 AuthType Basic
 AuthName "Subversion repositories"
 AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd
 SSLRequireSSL
 Require valid-user
</location>
  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file
  • SSLRequireSSL - Informs Apache connection must be over a secure link using SSL
  • Require valid-user - Informs Apache all users must supply a name and password.

Test 3

Browser:

  • Restart servers
  • Type into browser
    • Either https://localhost/svn/
    • Or https://localhost/svn/myproject/
  • Challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • You can now browse the repository

  

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • Select Bookmarks > Add Existing Repository enter https://localhost/svn/myproject
  • Challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • You can now browse the repository
  • Or commit any changes

Note 1: All repositories are protected.

Note 2: Remember to use https

Top

Basic Authentication - Less Draconian + SSL

Similar to the above only this time no need to create a server certificate (assumes you aready creadted one see above). We take the less-draconian solution and add a single line as show blow:

Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:

<location /svn>
 DAV svn
 SVNListParentPath on
 SVNParentPath C:/a_svn/UniServer/svn

 AuthType Basic
 AuthName "Subversion repositories"
 AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd

# For any operations other than these, require an authenticated user.
# Hence this block limits write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
SSLRequireSSL
Require valid-user
</LimitExcept>

</location>
  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed a browsers challenge pop-up box
  • AuthUserFile - Path to the password file


  • <LimitExcept></LimitExcept> Separate Require valid-user and target write requests.
  • SSLRequireSSL - Informs Apache connection must be over a secure link using SSL
  • Require valid-user - Informs Apache all users must supply a name and password.

Top

Test 4

Browser:

  • Restart servers
  • Type into browser
    • Either https://localhost/svn/
    • Or https://localhost/svn/myproject/
  • User can brows repository.

  

Client:

  • Restart servers
  • Start PortableRapidSVN (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe)
  • In bookmarks click on https://localhost/svn/myproject
  • Can browse repository and create a new working copy.
  • Make a change in the working copy and commit
  • Will be challenged for a name and password.
    • Enter one of the name/password pairs in the above list
  • After initial authorisation you will not be challenged again during this connection..

Summary

On this page I have shown restricting access to repositories is not difficult. Securing using SSL is just as easy requiring only a single line.

You can employ more selective authorisation although I have not covered this at least you have a working base to work from.

Basic authentication with SSL encryption is more than adequate for small teams and personal use.

Top

Related links

Top

Conclusion

This tutorial has covered installing Subversion (SVN) on UniServer 5.0-Nano cumulating in a portable version. Once copied to a USB memory stick remember to set the new paths in RapidSVN. Being a complete package it allows you to explore the whole process of version control. Once you have created a working server back it up. Use a copy to explore should you break it just delete the files and start again from a new copy of your back up.

Top