Introduce a new authz module, like 'forbidden' but with support for

checking all roots and paths against regular expressions.

* viewvc.conf.dist
  (forbidden): New authz-forbiddenre section.

* lib/vcauth/forbiddenre,
* lib/vcauth/forbiddenre/__init__.py
  New authorizer based on simple regular expressions.

git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1763 8cb11bc2-c004-0410-86c3-e597b4017df7

lib/vcauth/forbiddenre/__init__.py

@@ -0,0 +1,55 @@
+# -*-python-*-
+#
+# Copyright (C) 2006 The ViewCVS Group. All Rights Reserved.
+#
+# By using this file, you agree to the terms and conditions set forth in
+# the LICENSE.html file which can be found at the top level of the ViewVC
+# distribution or at http://viewvc.org/license-1.html.
+#
+# For more information, visit http://viewvc.org/
+#
+# -----------------------------------------------------------------------
+import vcauth
+import vclib
+import fnmatch
+import string
+import re
+
+
+def _split_regexp(restr):
+  """Return a 2-tuple consisting of a compiled regular expression
+  object and a boolean flag indicating if that object should be
+  interpreted inversely."""
+  if restr[0] == '!':
+    return re.compile(restr[1:]), 1
+  return re.compile(restr), 0
+
+
+class ViewVCAuthorizer(vcauth.GenericViewVCAuthorizer):
+  """A simple regular-expression-based authorizer."""
+  def __init__(self, username, params={}):
+    forbidden = params.get('forbidden', '')
+    self.forbidden = map(lambda x: _split_regexp(string.strip(x)),
+                         filter(None, string.split(forbidden, ',')))
+                         
+  def _check_root_path_access(self, rootname, path_parts):
+    path = rootname
+    if path_parts:
+      path = path + '/' + string.join(path_parts, '/')
+
+    default = 1
+    for forbidden, negated in self.forbidden:
+      if negated:
+        default = 0
+        if forbidden.search(path):
+          return 1
+      elif forbidden.search(path):
+        return 0
+    return default
+      
+  def check_root_access(self, rootname):
+    return self._check_root_path_access(rootname, None)
+  
+  def check_path_access(self, rootname, path_parts, pathtype, rev=None):
+    return self._check_root_path_access(rootname, path_parts)
+    

viewvc.conf.dist

@@ -732,6 +732,43 @@ enabled = 0
 #
 forbidden = 
 
+#---------------------------------------------------------------------------
+[authz-forbiddenre]
+
+# The "forbiddenre" authorizer forbids access to repository paths by
+# comparing a list of regular expressions (separated by commas)
+# against paths consisting of the repository (or root) name plus the
+# path of the versioned file or directory to be tested.  For example,
+# to see if the user is authorized to see the path
+# "/trunk/www/index.html" in the repository whose root name is
+# "svnrepos", this authorizer will check the path
+# "svnrepos/trunk/www/index.html" against the list of forbidden
+# regular expressions.
+#
+# Like the "forbidden" authorizer...
+#
+#   *) The "!" can be used before a module to explicitly state that it
+#      is NOT forbidden. Whenever this form is seen, then all modules will
+#      be forbidden unless one of the "!" modules match.
+#
+#   *) Tests are performed in sequence. The first match will terminate the
+#      testing. This allows for more complex allow/deny patterns.
+#
+# NOTE: Again, this is for the hiding of modules within repositories, *not* 
+# for the hiding of repositories (roots) themselves.
+#
+# Some examples:
+#
+#    Disallow files named "PRIVATE", but allow all others:
+#       forbidden = /PRIVATE$
+#
+#    Allow only the "example1" and "example2" roots and the paths inside them,
+#    disallowing all others (which can be done in multiple ways):
+#       forbidden = !^example1(/|$), !^example2(/|$)/
+#       forbidden = !^example[12](/|$)
+#
+forbidden = 
+
 #---------------------------------------------------------------------------
 [authz-svnauthz]