Wednesday, October 14, 2009

Configuring redmine to be your all in one project manager

Well, it was a lot of work (when I did it the first time), but it could have been worse. The goal was to take redmine's user/group information and tie it into the sourcecode management stuff with all the groups preserved. There are recipes for subversion integration of this kind and this was a great base, but not only was this subversion only, I didn't like that a magic script ran every x minutes to create repositories that didn't exist. But I used all of the stuff up to and including the mysql auth stuff. So follow that tutorial first and break off when you've completed mysql nss/pam configuration. A word of warning btw, I tried to make this stuff as secure as possible, but I could not do everything needed without resorting to two very careful entries in the /etc/sudoers file.

I should also point out that you probably will want to run redmine as a system user. I created a redmine user for this and wrote an appropriate configuration for lighttpd. I also made redmine work over HTTPS, but this is something googleable. From here on out, it's assumed that the redmine user exists and is whom redmine runs as.

Lets configure and take a look at the environment.

Perform the following actions as root.
mkdir /home/redmineusers
chown -R root:root /home/redmineusers
cd /home/redmineusers
mkdir bin projects
chown -R root:root bin
chown -R redmine:root projects


After following the above tutorial, make a change to the shell_column property:
users.shell_column = "/bin/rbash";
users.homedir_column = "/home/redmineusers/";

/home/redmineusers/.profile
umask 0007
export PATH=$HOME/bin/
There are symbolics links from .bashrc and .bash_login. This seemed necessary for ssh to work ok with the environment.

/usr/local/bin/hg.wrapper
#!/bin/bash
SRVSTRING="^-R projects/[a-z0-9-]+ serve --stdio$"
export PATH=/bin:/usr/bin:$PATH
CWD="$(dirname "$PWD/")/$(basename "$PWD/")"
HOME="$(dirname "$HOME/")/$(basename "$HOME/")"
if [[ $CWD == $HOME && $@ =~ $SRVSTRING ]]
then
/usr/bin/hg -R "$2" serve --stdio
if [[ $? == 0 ]]
then
/usr/bin/sudo /usr/local/bin/fixrepoperms "$2" 2>/dev/null
exit 0
else
exit 1
fi
else
exit 1
fi
Make a symbolic link in /home/redmineusers/bin/hg -> /usr/local/bin/hg.wrapper

/usr/local/bin/createrepo
#!/bin/bash
ROOT_PATH=/home/redmineusers/projects/
#RE="^[a-zA-Z0-9 ]+$"
RE="^[a-z0-9-]+$"
if [[ $1 =~ $RE ]]
then
cd "$ROOT_PATH"
/usr/bin/hg init "$1"
chown -R redmine:"$1" "$1"
chmod -R o-rwx "$1"
find "$1" -type d -exec chmod a+s "{}" ";"
chmod -R g+rw "$1"
true
else
false
fi

/usr/local/bin/fixrepoperms
#!/bin/bash
#RE="^[a-zA-Z0-9 ]+$"
RE="projects/[a-z0-9-]+"
export PATH=/bin:/usr/bin:$PATH
CWD="$(dirname "$PWD/")/$(basename "$PWD/")"
HOME="$(dirname "$HOME/")/$(basename "$HOME/")"
if [[ $CWD == $HOME && $@ =~ $RE ]]
then
prj=`basename "$1"`
chown -R redmine:"$prj" "$1"
chmod -R o-rwx "$1"
find "$1" -type d -exec chmod a+s "{}" ";"
chmod -R g+rw "$1"
else
false
fi
And now two additions to to your /etc/sudoers:
redmine ALL = NOPASSWD: /usr/local/bin/createrepo
ALL ALL = NOPASSWD: /usr/local/bin/fixrepoperms
And now you apply a patch. Its dirtyish code but it works ok and is much cleaner than things I've seen in the past for this stuff - for instance when you create your project, you won't have to wait x minutes for the repo to show up!

Index: app/controllers/projects_controller.rb
===================================================================
--- app/controllers/projects_controller.rb (revision 2924)
+++ app/controllers/projects_controller.rb (working copy)
@@ -74,6 +74,13 @@
@project.enabled_module_names = Redmine::AccessControl.available_project_modules
else
@project.enabled_module_names = params[:enabled_modules]
+ r = Repository.factory("Mercurial",:root_url => "/home/redmineusers/projects/#{@project.identifier}",
+ :url => "/home/redmineusers/projects/#{@project.identifier}")
+ @project.repository = r
+ g = Group.new({ "lastname" => @project.identifier} ) #blidly create a new accompanying group
+ gr = Role.givable.find_by_name("Developer")
+ gm = Member.new(:principal => g, :roles => [gr], :project => @project)
+ @project.members << m =" Member.new(:user"> User.current, :roles => [r])
@project.members << controller =""> 'projects', :action => 'settings', :id => @project
end
end
+
+
end

def copy
Index: extra/svn/create_views.sql
===================================================================
--- extra/svn/create_views.sql (revision 2924)
+++ extra/svn/create_views.sql (working copy)
@@ -13,7 +13,7 @@
from projects;

CREATE OR REPLACE VIEW nss_users AS
-select login AS username, CONCAT_WS(' ', firstname, lastname) as realname, (id + 5000) AS uid, 'x' AS password
+select login AS username, CONCAT_WS(' ', firstname, lastname) as realname, (id + 5000) AS uid, 'x' AS password,
from users
where status = 1;
Make sure you rerun the create_views.sql script. It should rerun just fine and now users have to be active rather than just exist.

If you've completed the above, congratulations. You now have a secure, private sandboxed environment for every project (in which you're protected by good old unix permissions) that is tied to your redmine user/group database. Each project gets it's own group on creation and you must add developers to this group to get sourcecode management access. You also have a secured / restricted environment for users to ssh into - but really only as a gateway to hg serve. You should be able to configure this to your needs for your flavor of SCM. Redmine should also have your repository entered upon project creation (it seems you must make a commit though before it looks like it works, this is understandable).

No comments:

Post a Comment