Dave The Code Monkey: Subversion+Kerberos, without the realm!

We're using Subversion with Kerberos authentication here at work. I love having one-password-to-rule-them-all, but having the @REALM show up in the Subversion log is a bit of a pain. Today I came up with a solution.

It's very simple. I use a post-commit script to change the author revprop. The change in post-commit is quite trivial:

#
# strip Kerberos realm from svn:author
#
OLD_AUTHOR=$(svn pget svn:author file://$REPOS --revprop -r $REV)
NEW_AUTHOR=$(echo "$OLD_AUTHOR" | sed "s/$REALM//")

svn pset svn:author "$NEW_AUTHOR" file://$REPOS --revprop -r $REV

What's not so trivial is the change to pre-revprop-change. I wanted to ensure that only the change from user@REALM to just plain user was allowed.

NEW_VALUE=$(cat)

# ...

#
# Stripping Kerberos realm is allowed
#
if test "$ACTION" = M -a "$PROPNAME" = svn:author; then 
  OLD_AUTHOR=$(svnlook pget "$REPOS" svn:author --revprop -r $REV)
  echo "NEW: $NEW_VALUE"
  echo "OLD: $OLD_AUTHOR"
  ALLOWED_NEW_AUTHOR=$(echo "$OLD_AUTHOR" | sed "s/$REALM//")
  if test "$NEW_VALUE" = "$ALLOWED_NEW_AUTHOR"; then
    # allowed author change
    exit 0
  fi
  echo "svn:author $OLD_AUTHOR may only be changed to $ALLOWED_NEW_AUTHOR" >&2
  exit 1
fi

Dave The Code Monkey

Wednesday, February 6, 2008

Subversion+Kerberos, without the realm!

No comments:

About Me

Blog Archive

Links

Subscribe