File:  [LON-CAPA] / loncom / auth / lonracc.pm
Revision 1.24: download - view: text, annotated - select for diffs
Fri Dec 18 15:23:03 2020 UTC (3 years, 3 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, version_2_11_X, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, version_2_11_3_uiuc, version_2_11_3_msu, version_2_11_3, HEAD
- Retrieval of requestor's IP address centralized in lonnet::get_requestor_ip()
- Domain configuration to allow domain's LON-CAPA nodes to operate behind a
  WAF/Reverse Proxy using aliased hostname (CNAME).
- Web requests from other nodes bypass the WAF as their requests are made
  directly to the server hostname (A record); same for internal LON-CAPA
  connections for lonc -> lond.

# The LearningOnline Network
# Access Handler for File Transfers
#
# $Id: lonracc.pm,v 1.24 2020/12/18 15:23:03 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#

=pod

=head1 NAME

Apache::lonracc - Access Handler for File Transfers

=head1 SYNOPSIS

Invoked by /etc/httpd/conf/loncapa.conf:

 <LocationMatch "^/raw.*">
 PerlAccessHandler Apache::lonracc
 </LocationMatch>

=head1 INTRODUCTION

This module enables authentication for file transfers and works
against the /res tree.

Only lond invokes the /raw namespace through its subscribe function.

This is part of the LearningOnline Network with CAPA project
described at http://www.lon-capa.org.

=head1 HANDLER SUBROUTINE

This routine is called by Apache and mod_perl.

=over 4

=item *

Determine requesting host

=item *

See whether or not the requesting host is subscribed.

=item *

Respond with status of request and make log entry in case of unallowed
access.

=back

=cut

package Apache::lonracc;

use strict;
use Apache::Constants qw(:common :remotehost);
use Apache::lonnet;
use Apache::File();
use IO::Socket;

sub subscribed {
    my ($filename,$id) = @_;

    return 0 if (!-e "$filename.subscription");

    my $hostname=&Apache::lonnet::hostname($id);
    my (undef,undef,undef,undef,$ip) = gethostbyname($hostname);
    
    return 0 if (length($ip) != 4);

    $ip=inet_ntoa($ip);

    my $expr='^'.quotemeta($id).':'.quotemeta($ip).':';

    my $found=0;
    if (my $sh=Apache::File->new("$filename.subscription")) {
	while (my $subline=<$sh>) { if ($subline =~ /$expr/) { $found=1; } }
	$sh->close();
    }
    return $found;
}

sub handler {
    my $r = shift;

    my $filename=$r->filename;
    if (!-e $filename) {
	return NOT_FOUND;
    }

    my $reqhost = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
    my @hostids= &Apache::lonnet::get_hosts_from_ip($reqhost);
    if (!@hostids && $reqhost ne '127.0.0.1' ) {
	$r->log_reason("Unable to find a host for ".
		       $r->get_remote_host(REMOTE_NOLOOKUP));
	return FORBIDDEN;
    }
    if ($reqhost eq '127.0.0.1') {
	return OK;
    }
    my $return;
    my @ids;

    foreach my $id (@hostids) {
	my $uri =$r->uri;
	if (($filename=~/\.meta$/) ||
	    ($uri=~m|^/raw/uploaded|) ||
	    (-e "$filename.$id") ||
	    &subscribed($filename,$id) ) {
	    return OK;
	} else {
	    $return=FORBIDDEN;
	    push(@ids,$id);
	}
    }
    if ($return == FORBIDDEN) {
	$r->log_reason(join(':',@ids)." not subscribed", $r->filename);
	return FORBIDDEN;
    }
    $r->log_reason("Invalid request for file transfer from $reqhost", 
                   $r->filename); 
    return FORBIDDEN;
}

1;
__END__










FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>