--- loncom/auth/lonauth.pm	2014/05/04 15:16:10	1.121.2.11
+++ loncom/auth/lonauth.pm	2019/08/01 00:42:34	1.121.2.17
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.121.2.11 2014/05/04 15:16:10 raeburn Exp $
+# $Id: lonauth.pm,v 1.121.2.17 2019/08/01 00:42:34 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -32,8 +32,6 @@ use strict;
 use LONCAPA;
 use Apache::Constants qw(:common);
 use CGI qw(:standard);
-use DynaLoader; # for Crypt::DES version
-use Crypt::DES;
 use Apache::loncommon();
 use Apache::lonnet;
 use Apache::lonmenu();
@@ -73,7 +71,7 @@ sub success {
     }
 
 # ------------------------------------------------------------ Get cookie ready
-    $cookie="lonID=$cookie; path=/";
+    $cookie="lonID=$cookie; path=/; HttpOnly";
 # -------------------------------------------------------- Menu script and info
     my $destination = $lowerurl;
 
@@ -103,9 +101,7 @@ sub success {
         if ($destsymb =~ /___/) {
             # FIXME Need to deal with encrypted symbs and urls as needed.
             my ($map,$resid,$desturl)=split(/___/,$destsymb);
-            unless ($desturl=~/^(adm|editupload|public)/) {
-                $desturl = &Apache::lonnet::clutter($desturl);
-            }
+            $desturl = &Apache::lonnet::clutter($desturl);
             $desturl = &HTML::Entities::encode($desturl,'"<>&');
             $destsymb = &HTML::Entities::encode($destsymb,'"<>&');
             $destination .= 'destinationurl='.$desturl.
@@ -240,7 +236,6 @@ sub reroute {
 sub handler {
     my $r = shift;
     my $londocroot = $r->dir_config('lonDocRoot');
-    my $form;
 # Are we re-routing?
     if (-e "$londocroot/lon-status/reroute.txt") {
 	&reroute($r);
@@ -304,10 +299,11 @@ sub handler {
 
 # split user logging in and "su"-user
 
-    ($form{'uname'},$form{'suname'})=split(/\:/,$form{'uname'});
+    ($form{'uname'},$form{'suname'},$form{'sudom'})=split(/\:/,$form{'uname'});
     $form{'uname'} = &LONCAPA::clean_username($form{'uname'});
     $form{'suname'}= &LONCAPA::clean_username($form{'suname'});
-    $form{'udom'}  = &LONCAPA::clean_domain(  $form{'udom'});
+    $form{'udom'}  = &LONCAPA::clean_domain($form{'udom'});
+    $form{'sudom'} = &LONCAPA::clean_domain($form{'sudom'});
 
     my $role   = $r->dir_config('lonRole');
     my $domain = $r->dir_config('lonDefDomain');
@@ -319,12 +315,6 @@ sub handler {
     my $tmpinfo=Apache::lonnet::reply('tmpget:'.$form{'logtoken'},
                                       $form{'serverid'});
 
-    my %sessiondata;
-    if ($form{'iptoken'}) {
-        %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
-        my $delete = &Apache::lonnet::tmpdel($form{'iptoken'});
-    }
-
     if (($tmpinfo=~/^error/) || ($tmpinfo eq 'con_lost') || 
         ($tmpinfo eq 'no_such_host')) {
 	&failed($r,'Information needed to verify your login information is missing, inaccessible or expired.',\%form);
@@ -344,40 +334,27 @@ sub handler {
         return OK;
     }
 
-    my ($key,$firsturl,$rolestr,$symbstr)=split(/&/,$tmpinfo);
+    my ($key,$firsturl,$rolestr,$symbstr,$iptokenstr)=split(/&/,$tmpinfo);
     if ($rolestr) {
         $rolestr = &unescape($rolestr);
     }
     if ($symbstr) {
         $symbstr= &unescape($symbstr);
     }
+    if ($iptokenstr) {
+        $iptokenstr = &unescape($iptokenstr);
+    }
     if ($rolestr =~ /^role=/) {
         (undef,$form{'role'}) = split('=',$rolestr);
     }
     if ($symbstr =~ /^symb=/) { 
         (undef,$form{'symb'}) = split('=',$symbstr);
     }
-
-    my $keybin=pack("H16",$key);
-
-    my $cipher;
-    if ($Crypt::DES::VERSION>=2.03) {
-	$cipher=new Crypt::DES $keybin;
+    if ($iptokenstr =~ /^iptoken=/) {
+        (undef,$form{'iptoken'}) = split('=',$iptokenstr);
     }
-    else {
-	$cipher=new DES $keybin;
-    }
-    my $upass='';
-    for (my $i=0;$i<=2;$i++) {
-	my $chunk=
-	    $cipher->decrypt(unpack("a8",pack("H16",substr($form{'upass'.$i},0,16))));
-
-	$chunk.=
-	    $cipher->decrypt(unpack("a8",pack("H16",substr($form{'upass'.$i},16,16))));
 
-	$chunk=substr($chunk,1,ord(substr($chunk,0,1)));
-	$upass.=$chunk;
-    }
+    my $upass = &Apache::loncommon::des_decrypt($key,$form{'upass0'});
 
 # ---------------------------------------------------------------- Authenticate
 
@@ -441,6 +418,8 @@ sub handler {
 
     my $hosthere;
     if ($form{'iptoken'}) {
+        my %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
+        my $delete = &Apache::lonnet::tmpdel($form{'iptoken'});
         if (($sessiondata{'domain'} eq $form{'udom'}) &&
             ($sessiondata{'username'} eq $form{'uname'})) {
             $hosthere = 1;
@@ -449,20 +428,68 @@ sub handler {
 
 # --------------------------------- Are we attempting to login as somebody else?
     if ($form{'suname'}) {
+        my ($suname,$sudom,$sudomref);
+        $suname = $form{'suname'};
+        $sudom = $form{'udom'};
+        if ($form{'sudom'}) {
+            unless ($sudom eq $form{'sudom'}) {
+                if (&Apache::lonnet::domain($form{'sudom'})) {
+                    $sudomref = [$form{'sudom'}];
+                    $sudom = $form{'sudom'};
+                }
+            }
+        }
 # ------------ see if the original user has enough privileges to pull this stunt
-	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'})) {
+	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'},$sudomref)) {
 # ---------------------------------------------------- see if the su-user exists
-	    unless (&Apache::lonnet::homeserver($form{'suname'},$form{'udom'})
-		eq 'no_host') {
-		&Apache::lonnet::logthis(&Apache::lonnet::homeserver($form{'suname'},$form{'udom'}));
+	    unless (&Apache::lonnet::homeserver($suname,$sudom) eq 'no_host') {
 # ------------------------------ see if the su-user is not too highly privileged
-		unless (&Apache::lonnet::privileged($form{'suname'},$form{'udom'})) {
+		if (&Apache::lonnet::privileged($suname,$sudom)) {
+                    &Apache::lonnet::logthis('Attempted switch user to privileged user');
+                } else {
+                    my $noprivswitch;
+#
+# su-user's home server and user's home server must have one of:
+# (a) same domain
+# (b) same primary library server for the two domains
+# (c) same "internet domain" for primary library server(s) for home servers' domains
+#
+                    my $suprim = &Apache::lonnet::domain($sudom,'primary');
+                    my $suintdom = &Apache::lonnet::internet_dom($suprim);
+                    unless ($sudom eq $form{'udom'}) {
+                        my $uprim = &Apache::lonnet::domain($form{'udom'},'primary');
+                        my $uintdom = &Apache::lonnet::internet_dom($uprim);
+                        unless ($suprim eq $uprim) {
+                            unless ($suintdom eq $uintdom) {
+                                &Apache::lonnet::logthis('Attempted switch user '
+                                   .'to user with different "internet domain".');
+                                $noprivswitch = 1;
+                            }
+                        }
+                    }
+
+                    unless ($noprivswitch) {
+#
+# server where log-in occurs must have same "internet domain" as su-user's home
+# server
+#
+                        my $lonhost = $r->dir_config('lonHostID');
+                        my $hostintdom = &Apache::lonnet::internet_dom($lonhost);
+                        if ($hostintdom ne $suintdom) {
+                            &Apache::lonnet::logthis('Attempted switch user on a '
+                                .'server with a different "internet domain".');
+                        } else {
+
 # -------------------------------------------------------- actually switch users
-		    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.$form{'udom'}.
-			' logging in as '.$form{'suname'});
-		    $form{'uname'}=$form{'suname'};
-		} else {
-		    &Apache::lonnet::logthis('Attempted switch user to privileged user');
+
+			    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.
+				$form{'udom'}.' logging in as '.$suname.':'.$sudom);
+			    $form{'uname'}=$suname;
+                            if ($form{'udom'} ne $sudom) {
+                                $form{'udom'}=$sudom;
+                            }
+                        }
+                    }
 		}
 	    }
 	} else {
@@ -474,13 +501,25 @@ sub handler {
 
     unless ($hosthere) {
         ($is_balancer,$otherserver) =
-            &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'});
+            &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'},'login');
+        if ($is_balancer) {
+            if ($otherserver eq '') {
+                my $lowest_load;
+                ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($form{'udom'});
+                if ($lowest_load > 100) {
+                    $otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$form{'udom'});
+                }
+            }
+            if ($otherserver ne '') {
+                my @hosts = &Apache::lonnet::current_machine_ids();
+                if (grep(/^\Q$otherserver\E$/,@hosts)) {
+                    $hosthere = $otherserver;
+                }
+            }
+        }
     }
 
-    if ($is_balancer) {
-        if (!$otherserver) { 
-            ($otherserver) = &Apache::lonnet::choose_server($form{'udom'});
-        }
+    if (($is_balancer) && (!$hosthere)) {
         if ($otherserver) {
             &success($r,$form{'uname'},$form{'udom'},$authhost,'noredirect',undef,
                      \%form);
@@ -548,6 +587,9 @@ sub handler {
                 return OK;
             }
         }
+        if (($is_balancer) && ($hosthere)) {
+            $form{'noloadbalance'} = $hosthere;
+        }
         &success($r,$form{'uname'},$form{'udom'},$authhost,$firsturl,undef,
                  \%form);
         return OK;