Wednesday, February 6, 2008

Subversion+Kerberos, without the realm!

We're using Subversion with Kerberos authentication here at work. I love having one-password-to-rule-them-all, but having the @REALM show up in the Subversion log is a bit of a pain. Today I came up with a solution.

It's very simple. I use a post-commit script to change the author revprop. The change in post-commit is quite trivial:
# strip Kerberos realm from svn:author
OLD_AUTHOR=$(svn pget svn:author file://$REPOS --revprop -r $REV)
NEW_AUTHOR=$(echo "$OLD_AUTHOR" | sed "s/$REALM//")

svn pset svn:author "$NEW_AUTHOR" file://$REPOS --revprop -r $REV
What's not so trivial is the change to pre-revprop-change. I wanted to ensure that only the change from user@REALM to just plain user was allowed.

# ...

# Stripping Kerberos realm is allowed
if test "$ACTION" = M -a "$PROPNAME" = svn:author; then
OLD_AUTHOR=$(svnlook pget "$REPOS" svn:author --revprop -r $REV)
echo "NEW: $NEW_VALUE"
if test "$NEW_VALUE" = "$ALLOWED_NEW_AUTHOR"; then
# allowed author change
exit 0
echo "svn:author $OLD_AUTHOR may only be changed to $ALLOWED_NEW_AUTHOR" >&2
exit 1

No comments: