[BACK]Return to lonacc.pm CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom / auth
File:  [LON-CAPA] / loncom / auth / lonacc.pm
Revision 1.96: download - view: text, annotated - select for diffs
Tue Sep 5 17:33:06 2006 UTC (17 years, 8 months ago) by albertel
Branches: MAIN
CVS tags: HEAD
- BUG#5005, need to shift to maintianing the jsmath processing status to a stack since we can create subpages when creating the main page thus need to track the need for each sub page independently

    1: # The LearningOnline Network
    2: # Cookie Based Access Handler
    3: #
    4: # $Id: lonacc.pm,v 1.96 2006/09/05 17:33:06 albertel Exp $
    5: #
    6: # Copyright Michigan State University Board of Trustees
    7: #
    8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
    9: #
   10: # LON-CAPA is free software; you can redistribute it and/or modify
   11: # it under the terms of the GNU General Public License as published by
   12: # the Free Software Foundation; either version 2 of the License, or
   13: # (at your option) any later version.
   14: #
   15: # LON-CAPA is distributed in the hope that it will be useful,
   16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   18: # GNU General Public License for more details.
   19: #
   20: # You should have received a copy of the GNU General Public License
   21: # along with LON-CAPA; if not, write to the Free Software
   22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   23: #
   24: # /home/httpd/html/adm/gpl.txt
   25: #
   26: # http://www.lon-capa.org/
   27: #
   28: ###
   29: 
   30: package Apache::lonacc;
   31: 
   32: use strict;
   33: use Apache::Constants qw(:common :http :methods);
   34: use Apache::File;
   35: use Apache::lonnet;
   36: use Apache::loncommon();
   37: use Apache::lonlocal;
   38: use Apache::restrictedaccess();
   39: use CGI::Cookie();
   40: use Fcntl qw(:flock);
   41: use LONCAPA;
   42: 
   43: sub cleanup {
   44:     my ($r)=@_;
   45:     if (! $r->is_initial_req()) { return DECLINED; }
   46:     &Apache::lonnet::save_cache();
   47:     &Apache::lontexconvert::jsMath_reset();
   48:     return OK;
   49: }
   50: 
   51: sub goodbye {
   52:     my ($r)=@_;
   53:     &Apache::lonnet::goodbye();
   54:     return DONE;
   55: }
   56: 
   57: ###############################################
   58: 
   59: sub get_posted_cgi {
   60:     my ($r) = @_;
   61: 
   62:     my $buffer;
   63:     if ($r->header_in('Content-length')) {
   64: 	$r->read($buffer,$r->header_in('Content-length'),0);
   65:     }
   66:     unless ($buffer=~/^(\-+\w+)\s+Content\-Disposition\:\s*form\-data/si) {
   67: 	my @pairs=split(/&/,$buffer);
   68: 	my $pair;
   69: 	foreach $pair (@pairs) {
   70: 	    my ($name,$value) = split(/=/,$pair);
   71: 	    $value =~ tr/+/ /;
   72: 	    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
   73: 	    $name  =~ tr/+/ /;
   74: 	    $name  =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
   75: 	    &Apache::loncommon::add_to_env("form.$name",$value);
   76: 	}
   77:     } else {
   78: 	my $contentsep=$1;
   79: 	my @lines = split (/\n/,$buffer);
   80: 	my $name='';
   81: 	my $value='';
   82: 	my $fname='';
   83: 	my $fmime='';
   84: 	my $i;
   85: 	for ($i=0;$i<=$#lines;$i++) {
   86: 	    if ($lines[$i]=~/^$contentsep/) {
   87: 		if ($name) {
   88: 		    chomp($value);
   89: 		    if ($fname) {
   90: 			$env{"form.$name.filename"}=$fname;
   91: 			$env{"form.$name.mimetype"}=$fmime;
   92: 		    } else {
   93: 			$value=~s/\s+$//s;
   94: 		    }
   95: 		    &Apache::loncommon::add_to_env("form.$name",$value);
   96: 		}
   97: 		if ($i<$#lines) {
   98: 		    $i++;
   99: 		    $lines[$i]=~
  100: 		/Content\-Disposition\:\s*form\-data\;\s*name\=\"([^\"]+)\"/i;
  101: 		    $name=$1;
  102: 		    $value='';
  103: 		    if ($lines[$i]=~/filename\=\"([^\"]+)\"/i) {
  104: 			$fname=$1;
  105: 			if 
  106:                             ($lines[$i+1]=~/Content\-Type\:\s*([\w\-\/]+)/i) {
  107: 				$fmime=$1;
  108: 				$i++;
  109: 			    } else {
  110: 				$fmime='';
  111: 			    }
  112: 		    } else {
  113: 			$fname='';
  114: 			$fmime='';
  115: 		    }
  116: 		    $i++;
  117: 		}
  118: 	    } else {
  119: 		$value.=$lines[$i]."\n";
  120: 	    }
  121: 	}
  122:     }
  123: #
  124: # Digested POSTed values
  125: #
  126: # Remember the way this was originally done (GET or POST)
  127: #
  128:     $env{'request.method'}=$ENV{'REQUEST_METHOD'};
  129: #
  130: # There may also be stuff in the query string
  131: # Tell subsequent handlers that this was GET, not POST, so they can access query string.
  132: # Also, unset POSTed content length to cover all tracks.
  133: #
  134: 
  135:     $r->method_number(M_GET);
  136: 
  137:     $r->method('GET');
  138:     $r->headers_in->unset('Content-length');
  139: }
  140: 
  141: # handle the case of the single sign on user, at this point $r->user 
  142: # will be set and valid now need to find the loncapa user info and possibly
  143: # balance them
  144: # returns OK if it was a SSO and user was handled
  145: #         undef if not SSO or no means to hanle the user
  146: sub sso_login {
  147:     my ($r,$lonid,$handle) = @_;
  148: 
  149:     my $lonidsdir=$r->dir_config('lonIDsDir');
  150:     if (!($r->user 
  151: 	  && (!defined($env{'user.name'}) && !defined($env{'user.domain'}))
  152: 	  && (!$lonid || !-e "$lonidsdir/$handle.id" || $handle eq ''))) {
  153: 	# not an SSO case or already logged in
  154: 	return undef;
  155:     }
  156: 
  157:     my $domain = $r->dir_config('lonDefDomain');
  158:     my $home=&Apache::lonnet::homeserver($r->user,$domain);
  159:     if ($home !~ /(con_lost|no_host|no_such_host)/) {
  160: 	if ($r->dir_config("lonBalancer") eq 'yes') {
  161: 	    # login but immeaditly go to switch server to find us a new 
  162: 	    # machine
  163: 	    &Apache::lonauth::success($r,$r->user,$domain,$home,'noredirect');
  164: 	    $r->internal_redirect('/adm/switchserver');
  165: 	} else {
  166: 	    # need to login them in, so generate the need data that
  167: 	    # migrate expects to do login
  168: 	    my %info=('ip'        => $r->connection->remote_ip(),
  169: 		      'domain'    => $domain,
  170: 		      'username'  => $r->user,
  171: 		      'server'    => $r->dir_config('lonHostID'),
  172: 		      'sso.login' => 1
  173: 		      );
  174: 	    my $token = 
  175: 		&Apache::lonnet::tmpput(\%info,
  176: 					$r->dir_config('lonHostID'));
  177: 	    $env{'form.token'} = $token;
  178: 	    $r->internal_redirect('/adm/migrateuser');
  179: 	}
  180: 	return OK;
  181:     } elsif (defined($r->dir_config('lonSSOUserUnkownRedirect'))) {
  182: 	$r->internal_redirect($r->dir_config('lonSSOUserUnkownRedirect'));
  183: 	return OK;
  184:     }
  185:     return undef;
  186: }
  187: 
  188: sub handler {
  189:     my $r = shift;
  190:     my $requrl=$r->uri;
  191:     my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));
  192:     my $lonid=$cookies{'lonID'};
  193:     my $cookie;
  194:     my $lonidsdir=$r->dir_config('lonIDsDir');
  195: 
  196:     my $handle;
  197:     if ($lonid) {
  198: 	$handle=$lonid->value;
  199:         $handle=~s/\W//g;
  200:     }
  201: 
  202:     if (my $result = &sso_login($r,$lonid,$handle)) {
  203: 	return $result
  204:     }
  205: 
  206: 
  207:     if ($r->dir_config("lonBalancer") eq 'yes') {
  208: 	$r->set_handlers('PerlResponseHandler'=>
  209: 			 [\&Apache::switchserver::handler]);
  210:     }
  211:     
  212:     if ($handle eq '') {
  213: 	$r->log_reason("Cookie $handle not valid", $r->filename); 
  214:     } elsif ((-e "$lonidsdir/$handle.id") && ($handle ne '')) {
  215: 
  216: # ------------------------------------------------------ Initialize Environment
  217: 
  218: 	&Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle);
  219: 
  220: # --------------------------------------------------------- Initialize Language
  221: 
  222: 	&Apache::lonlocal::get_language_handle($r);
  223: 
  224:     }
  225: 
  226: # -------------------------------------------------- Should be a valid user now
  227:     if ($env{'user.name'} ne '' && $env{'user.domain'} ne '') {
  228: # -------------------------------------------------------------- Resource State
  229: 
  230: 	if ($requrl=~/^\/+(res|uploaded)\//) {
  231: 	    $env{'request.state'} = "published";
  232: 	} else {
  233: 	    $env{'request.state'} = 'unknown';
  234: 	}
  235: 	$env{'request.filename'} = $r->filename;
  236: 	$env{'request.noversionuri'} = &Apache::lonnet::deversion($requrl);
  237: # -------------------------------------------------------- Load POST parameters
  238: 
  239: 	&Apache::lonacc::get_posted_cgi($r);
  240: 
  241: # ---------------------------------------------------------------- Check access
  242: 	my $now = time;
  243: 	if ($requrl !~ m{^/(?:adm|public|prtspool)/}
  244: 	    || $requrl =~ /^\/adm\/.*\/(smppg|bulletinboard)(\?|$ )/x) {
  245: 	    my $access=&Apache::lonnet::allowed('bre',$requrl);
  246: 	    if ($access eq '1') {
  247: 		$env{'user.error.msg'}="$requrl:bre:0:0:Choose Course";
  248: 		return HTTP_NOT_ACCEPTABLE; 
  249: 	    }
  250: 	    if ($access eq 'A') {
  251: 		&Apache::restrictedaccess::setup_handler($r);
  252: 		return OK;
  253: 	    }
  254: 	    if (($access ne '2') && ($access ne 'F')) {
  255: 		$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
  256: 		return HTTP_NOT_ACCEPTABLE; 
  257: 	    }
  258: 	}
  259: 	if ($requrl =~ m|^/prtspool/|) {
  260: 	    my $start='/prtspool/'.$env{'user.name'}.'_'.
  261: 		$env{'user.domain'};
  262: 	    if ($requrl !~ /^\Q$start\E/) {
  263: 		$env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
  264: 		return HTTP_NOT_ACCEPTABLE;
  265: 	    }
  266: 	}
  267: 	if ($env{'user.name'} eq 'public' && 
  268: 	    $env{'user.domain'} eq 'public' &&
  269: 	    $requrl !~ m{^/+(res|public|uploaded)/} &&
  270: 	    $requrl !~ m{^/adm/[^/]+/[^/]+/aboutme/portfolio$ }x &&
  271: 	    $requrl !~ m{^/+adm/(help|logout|restrictedaccess|randomlabel\.png)}) {
  272: 	    $env{'request.querystring'}=$r->args;
  273: 	    $env{'request.firsturl'}=$requrl;
  274: 	    return FORBIDDEN;
  275: 	}
  276: # ------------------------------------------------------------- This is allowed
  277: 	if ($env{'request.course.id'}) {
  278: 	    &Apache::lonnet::countacc($requrl);
  279: 	    $requrl=~/\.(\w+)$/;
  280: 	    if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
  281: 		($requrl=~/^\/adm\/.*\/(aboutme|navmaps|smppg|bulletinboard)(\?|$ )/x) ||
  282: 		($requrl=~/^\/adm\/wrapper\//) ||
  283: 		($requrl=~m|^/adm/coursedocs/showdoc/|) ||
  284: 		($requrl=~m|\.problem/smpedit$|) ||
  285: 		($requrl=~/^\/public\/.*\/syllabus$/)) {
  286: # ------------------------------------- This is serious stuff, get symb and log
  287: 		my $query=$r->args;
  288: 		my $symb;
  289: 		if ($query) {
  290: 		    &Apache::loncommon::get_unprocessed_cgi($query,['symb']);
  291: 		}
  292: 		if ($env{'form.symb'}) {
  293: 		    $symb=&Apache::lonnet::symbclean($env{'form.symb'});
  294: 		    if ($requrl =~ m|^/adm/wrapper/|
  295: 			|| $requrl =~ m|^/adm/coursedocs/showdoc/|) {
  296: 			my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
  297: 			&Apache::lonnet::symblist($map,$murl => [$murl,$mid],
  298: 						  'last_known' =>[$murl,$mid]);
  299: 		    } elsif ((&Apache::lonnet::symbverify($symb,$requrl)) ||
  300: 			     (($requrl=~m|(.*)/smpedit$|) &&
  301: 			      &Apache::lonnet::symbverify($symb,$1))) {
  302: 			my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
  303: 			&Apache::lonnet::symblist($map,$murl => [$murl,$mid],
  304: 						  'last_known' =>[$murl,$mid]);
  305: 		    } else {
  306: 			$r->log_reason('Invalid symb for '.$requrl.': '.
  307: 				       $symb);
  308: 			$env{'user.error.msg'}=
  309: 			    "$requrl:bre:1:1:Invalid Access";
  310: 			return HTTP_NOT_ACCEPTABLE; 
  311: 		    }
  312: 		} else {
  313: 		    $symb=&Apache::lonnet::symbread($requrl);
  314: 		    if (&Apache::lonnet::is_on_map($requrl) && $symb &&
  315: 			!&Apache::lonnet::symbverify($symb,$requrl)) {
  316: 			$r->log_reason('Invalid symb for '.$requrl.': '.$symb);
  317: 			$env{'user.error.msg'}=
  318: 			    "$requrl:bre:1:1:Invalid Access";
  319: 			return HTTP_NOT_ACCEPTABLE; 
  320: 		    }
  321: 		    if ($symb) {
  322: 			my ($map,$mid,$murl)=
  323: 			    &Apache::lonnet::decode_symb($symb);
  324: 			&Apache::lonnet::symblist($map,$murl =>[$murl,$mid],
  325: 						  'last_known' =>[$murl,$mid]);
  326: 		    }
  327: 		}
  328: 		$env{'request.symb'}=$symb;
  329: 		&Apache::lonnet::courseacclog($symb);
  330: 	    } else {
  331: # ------------------------------------------------------- This is other content
  332: 		&Apache::lonnet::courseacclog($requrl);    
  333: 	    }
  334: 	}
  335: 	return OK;
  336:     }
  337: # -------------------------------------------- See if this is a public resource
  338:     if ($requrl=~m|^/+adm/+help/+|) {
  339:  	return OK;
  340:     }
  341: # ------------------------------------ See if this is a viewable portfolio file
  342:     if (&Apache::lonnet::is_portfolio_url($requrl)) {
  343: 	my $access=&Apache::lonnet::allowed('bre',$requrl);
  344: 	if ($access eq 'A') {
  345: 	    &Apache::restrictedaccess::setup_handler($r);
  346: 	    return OK;
  347: 	}
  348: 	if (($access ne '2') && ($access ne 'F')) {
  349: 	    $env{'user.error.msg'}="$requrl:bre:1:1:Access Denied";
  350: 	    return HTTP_NOT_ACCEPTABLE;
  351: 	}
  352:     }
  353: 
  354: # -------------------------------------------------------------- Not authorized
  355:     $requrl=~/\.(\w+)$/;
  356: #    if ((&Apache::loncommon::fileembstyle($1) eq 'ssi') ||
  357: #        ($requrl=~/^\/adm\/(roles|logout|email|menu|remote)/) ||
  358: #        ($requrl=~m|^/prtspool/|)) {
  359: # -------------------------- Store where they wanted to go and get login screen
  360: 	$env{'request.querystring'}=$r->args;
  361: 	$env{'request.firsturl'}=$requrl;
  362:        return FORBIDDEN;
  363: #   } else {
  364: # --------------------------------------------------------------------- Goodbye
  365: #       return HTTP_BAD_REQUEST;
  366: #   }
  367: }
  368: 
  369: 1;
  370: __END__
  371: 
  372: =head1 NAME
  373: 
  374: Apache::lonacc - Cookie Based Access Handler
  375: 
  376: =head1 SYNOPSIS
  377: 
  378: Invoked (for various locations) by /etc/httpd/conf/srm.conf:
  379: 
  380:  PerlAccessHandler       Apache::lonacc
  381: 
  382: =head1 INTRODUCTION
  383: 
  384: This module enables cookie based authentication and is used
  385: to control access for many different LON-CAPA URIs.
  386: 
  387: Whenever the client sends the cookie back to the server, 
  388: this cookie is handled by either lonacc.pm or loncacc.pm
  389: (see srm.conf for what is invoked when).  If
  390: the cookie is missing or invalid, the user is re-challenged
  391: for login information.
  392: 
  393: This is part of the LearningOnline Network with CAPA project
  394: described at http://www.lon-capa.org.
  395: 
  396: =head1 HANDLER SUBROUTINE
  397: 
  398: This routine is called by Apache and mod_perl.
  399: 
  400: =over 4
  401: 
  402: =item *
  403: 
  404: transfer profile into environment
  405: 
  406: =item *
  407: 
  408: load POST parameters
  409: 
  410: =item *
  411: 
  412: check access
  413: 
  414: =item *
  415: 
  416: if allowed, get symb, log, generate course statistics if applicable
  417: 
  418: =item *
  419: 
  420: otherwise return error
  421: 
  422: =item *
  423: 
  424: see if public resource
  425: 
  426: =item *
  427: 
  428: store attempted access
  429: 
  430: =back
  431: 
  432: =cut
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>