--- loncom/auth/lonacc.pm 2021/08/06 12:39:59 1.193 +++ loncom/auth/lonacc.pm 2021/11/30 15:55:40 1.201 @@ -1,7 +1,7 @@ # The LearningOnline Network # Cookie Based Access Handler # -# $Id: lonacc.pm,v 1.193 2021/08/06 12:39:59 raeburn Exp $ +# $Id: lonacc.pm,v 1.201 2021/11/30 15:55:40 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -305,7 +305,8 @@ sub sso_login { my $query = $r->args; my %form; if ($query) { - my @items = ('role','symb','iptoken','origurl'); + my @items = ('role','symb','iptoken','origurl','ttoken', + 'ltoken','linkkey','logtoken','sso'); &Apache::loncommon::get_unprocessed_cgi($query,\@items); foreach my $item (@items) { if (defined($env{'form.'.$item})) { @@ -323,6 +324,101 @@ sub sso_login { } } + my ($linkprot,$linkkey); + +# +# If Shibboleth auth is in use, and a dual SSO and non-SSO login page +# is in use, then the query string will contain the logtoken item with +# a value set to the name of a .tmp file in /home/httpd/perl/tmp +# containing the url to display after authentication, and also, +# optionally, role and symb, or linkprot or linkkey (deep-link access). +# +# If Shibboleth auth is in use, but a dual log-in page is not in use, +# and the originally requested URL was /tiny/$domain/$id (i.e., +# for deeplinking), then the query string will contain the sso item +# with a value set to the name of a .tmp file in /home/httpd/perl/tmp +# containing the url to display after authentication, and also, +# optionally, linkprot or linkkey (deep-link access). +# +# Otherwise the query string may contain role and symb, or if the +# originally requested URL was /tiny/$domain/$id (i.e. for deeplinking) +# then the query string may contain a ttoken item with a value set +# to the name of a .tmp file in /home/httpd/perl/tmp containing either +# linkprot or linkkey (deep-link access). +# +# If deep-linked, i.e., the originally requested URL was /tiny/$domain/$id +# the linkkey may have originally been sent in POSTed data, which will +# have been processed in lontrans.pm +# + + if ($form{'ttoken'}) { + my %info = &Apache::lonnet::tmpget($form{'ttoken'}); + &Apache::lonnet::tmpdel($form{'ttoken'}); + if ($info{'origurl'}) { + $form{'origurl'} = $info{'origurl'}; + } + if ($info{'linkprot'}) { + $linkprot = $info{'linkprot'}; + } elsif ($info{'linkkey'} ne '') { + $linkkey = $info{'linkkey'}; + } + } elsif ($form{'logtoken'}) { + my ($firsturl,@rest); + my $lonhost = $r->dir_config('lonHostID'); + my $tmpinfo = &Apache::lonnet::reply('tmpget:'.$form{'logtoken'},$lonhost); + my $delete = &Apache::lonnet::tmpdel($form{'logtoken'}); + unless (($tmpinfo=~/^error/) || ($tmpinfo eq 'con_lost') || + ($tmpinfo eq 'no_such_host')) { + (undef,$firsturl,@rest) = split(/&/,$tmpinfo); + if ($firsturl ne '') { + $firsturl = &unescape($firsturl); + } + foreach my $item (@rest) { + my ($key,$value) = split(/=/,$item); + $form{$key} = &unescape($value); + } + if ($firsturl =~ m{^/tiny/$match_domain/\w+$}) { + $form{'origurl'} = $firsturl; + } + if ($form{'linkprot'}) { + $linkprot = $form{'linkprot'}; + } elsif ($form{'linkkey'} ne '') { + $linkkey = $form{'linkkey'}; + } + if ($form{'iptoken'}) { + %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'}); + my $delete = &Apache::lonnet::tmpdel($form{'iptoken'}); + } + } + } elsif ($form{'sso'}) { + my $lonhost = $r->dir_config('lonHostID'); + my $info = &Apache::lonnet::reply('tmpget:'.$form{'sso'},$lonhost); + &Apache::lonnet::tmpdel($form{'sso'}); + unless (($info=~/^error/) || ($info eq 'con_lost') || + ($info eq 'no_such_host')) { + my ($firsturl,@rest)=split(/\&/,$info); + if ($firsturl ne '') { + $form{'origurl'} = &unescape($firsturl); + } + foreach my $item (@rest) { + my ($key,$value) = split(/=/,$item); + $form{$key} = &unescape($value); + } + if ($form{'linkprot'}) { + $linkprot = $form{'linkprot'}; + } elsif ($form{'linkkey'} ne '') { + $linkkey = $form{'linkkey'}; + } + } + } elsif ($form{'ltoken'}) { + my %link_info = &Apache::lonnet::tmpget($form{'ltoken'}); + $linkprot = $link_info{'linkprot'}; + my $delete = &Apache::lonnet::tmpdel($form{'ltoken'}); + delete($form{'ltoken'}); + } elsif ($form{'linkkey'} ne '') { + $linkkey = $form{'linkkey'}; + } + my $domain = $r->dir_config('lonSSOUserDomain'); if ($domain eq '') { $domain = $r->dir_config('lonDefDomain'); @@ -372,6 +468,18 @@ sub sso_login { $env{'form.origurl'} = $r->uri; } } + if (($r->uri eq '/adm/sso') && ($form{'origurl'} =~ m{^/+tiny/+$match_domain/+\w+$})) { + $env{'request.deeplink.login'} = $form{'origurl'}; + } elsif ($r->uri =~ m{^/+tiny/+$match_domain/+\w+$}) { + $env{'request.deeplink.login'} = $r->uri; + } + if ($env{'request.deeplink.login'}) { + if ($linkprot) { + $env{'request.linkprot'} = $linkprot; + } elsif ($linkkey ne '') { + $env{'request.linkkey'} = $linkkey; + } + } $env{'request.sso.login'} = 1; if (defined($r->dir_config("lonSSOReloginServer"))) { $env{'request.sso.reloginserver'} = @@ -396,6 +504,8 @@ sub sso_login { foreach my $item ('role','symb','iptoken','origurl') { if (exists($form{$item})) { $info{$item} = $form{$item}; + } elsif ($sessiondata{$item} ne '') { + $info{$item} = $sessiondata{$item}; } } unless (($info{'symb'}) || ($info{'origurl'})) { @@ -403,6 +513,18 @@ sub sso_login { $info{'origurl'} = $r->uri; } } + if (($r->uri eq '/adm/sso') && ($form{'origurl'} =~ m{^/+tiny/+$match_domain/+\w+$})) { + $info{'deeplink.login'} = $form{'origurl'}; + } elsif ($r->uri =~ m{^/+tiny/+$match_domain/+\w+$}) { + $info{'deeplink.login'} = $r->uri; + } + if ($info{'deeplink.login'}) { + if ($linkprot) { + $info{'linkprot'} = $linkprot; + } elsif ($linkkey ne '') { + $info{'linkkey'} = $linkkey; + } + } if ($r->dir_config("ssodirecturl") == 1) { $info{'origurl'} = $r->uri; } @@ -440,6 +562,8 @@ sub sso_login { $r->subprocess_env->set('SSOUserUnknown' => $user); $r->subprocess_env->set('SSOUserDomain' => $domain); if (grep(/^sso$/,@cancreate)) { +#FIXME - need to preserve origurl, role and symb, or linkprot or linkkey for use after account +# creation $r->set_handlers('PerlHandler'=> [\&Apache::createaccount::handler]); $r->handler('perl-script'); } else { @@ -479,7 +603,7 @@ sub handler { if ($handle eq '') { unless ((($requrl eq '/adm/switchserver') && (!$r->is_initial_req())) || ($requrl =~ m{^/public/$match_domain/$match_courseid/syllabus}) || - ($requrl =~ m{^/adm/help/}) || + ($requrl =~ m{^/adm/help/}) || ($requrl eq '/adm/sso') || ($requrl =~ m{^/res/$match_domain/$match_username/})) { $r->log_reason("Cookie not valid", $r->filename); } @@ -592,7 +716,7 @@ sub handler { if (($found_server) && ($balancer_cookie =~ /^\Q$env{'user.domain'}\E_\Q$env{'user.name'}\E_/)) { $otherserver = $found_server; } - unless ($requrl eq '/adm/switchserver') { + unless ($requrl eq '/adm/switchserver') { $r->set_handlers('PerlResponseHandler'=> [\&Apache::switchserver::handler]); } @@ -696,7 +820,8 @@ sub handler { } } } - $access=&Apache::lonnet::allowed('bre',$requrl,'','','','','',$nodeeplinkcheck); + my $clientip = &Apache::lonnet::get_requestor_ip($r); + $access=&Apache::lonnet::allowed('bre',$requrl,'','',$clientip,'','',$nodeeplinkcheck); } } if ($check_block) { @@ -754,7 +879,7 @@ sub handler { } } } elsif (($handle =~ /^publicuser_\d+$/) && (&Apache::lonnet::is_portfolio_url($requrl))) { - my $clientip = &Apache::lonnet::get_requestor_ip($r); + my $clientip = &Apache::lonnet::get_requestor_ip($r); if (&Apache::lonnet::allowed('bre',$requrl,undef,undef,$clientip) ne 'F') { $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied"; return HTTP_NOT_ACCEPTABLE; @@ -823,7 +948,7 @@ sub handler { my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb); if ($map =~ /\.page$/) { my $mapsymb = &Apache::lonnet::symbread($map); - ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb); + ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb); } &Apache::lonnet::symblist($map,$murl => [$murl,$mid], 'last_known' =>[$murl,$mid]);