Annotation of loncom/auth/lonstatusacc.pm, revision 1.4

1.1       raeburn     1: #
                      2: # LON-CAPA authorization for pages generated by server-status reports 
                      3: #
1.4     ! raeburn     4: # $Id: lonstatusacc.pm,v 1.3 2008/12/22 21:13:19 raeburn Exp $
1.1       raeburn     5: #
                      6: # Copyright Michigan State University Board of Trustees
                      7: #
                      8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                      9: #
                     10: # LON-CAPA is free software; you can redistribute it and/or modify
                     11: # it under the terms of the GNU General Public License as published by
                     12: # the Free Software Foundation; either version 2 of the License, or
                     13: # (at your option) any later version.
                     14: #
                     15: # LON-CAPA is distributed in the hope that it will be useful,
                     16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
                     17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     18: # GNU General Public License for more details.
                     19: #
                     20: # You should have received a copy of the GNU General Public License
                     21: # along with LON-CAPA; if not, write to the Free Software
                     22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     23: #
                     24: # /home/httpd/html/adm/gpl.txt
                     25: #
                     26: # http://www.lon-capa.org/
                     27: #
                     28: #############################################
                     29: #############################################
                     30: 
                     31: package Apache::lonstatusacc;
                     32: 
                     33: use strict;
1.3       raeburn    34: use Apache::Constants qw(:common :http :remotehost);
1.1       raeburn    35: use Apache::lonnet;
                     36: use LONCAPA::loncgi;
1.4     ! raeburn    37: use LONCAPA::lonauthcgi;
1.1       raeburn    38: 
                     39: sub handler {
                     40:     my $r = shift;
                     41:     my $reqhost = $r->get_remote_host(REMOTE_NOLOOKUP);
                     42:     my $page = 'serverstatus';
1.3       raeburn    43:     if (($r->uri eq '/adm/domainstatus') ||
                     44:         ($r->uri eq '/adm/test')) {
1.2       raeburn    45:         if (&LONCAPA::loncgi::check_cookie_and_load_env($r)) {
1.3       raeburn    46:             if ($r->uri eq '/adm/domainstatus') {
1.1       raeburn    47:                 return OK;
1.3       raeburn    48:             } elsif ($r->uri eq '/adm/test') { 
                     49:                 $page = 'showenv'; 
1.4     ! raeburn    50:                 if (&LONCAPA::lonauthcgi::can_view($page)) {
1.3       raeburn    51:                     return OK; 
1.4     ! raeburn    52:                 } elsif (&LONCAPA::lonauthcgi::check_ipbased_access($page,$reqhost)) {
1.3       raeburn    53:                     return OK;
                     54:                 } else {
                     55:                     $Apache::lonnet::env{'user.error.msg'} =
                     56:                         $r->uri.":bre:1:1:Access Denied";
                     57:                     return HTTP_NOT_ACCEPTABLE;
                     58:                 }
1.1       raeburn    59:             }
1.3       raeburn    60:         } else {
                     61:             return FORBIDDEN;
1.1       raeburn    62:         }
                     63:     } elsif ($r->uri ne '/server-status') {
                     64:         $page = 'lonstatus';
                     65:         if (!-e $r->filename) {
                     66:             return NOT_FOUND;
                     67:         }
                     68:     }
                     69:     if ($reqhost eq '127.0.0.1') {
                     70:         return OK;
                     71:     }
                     72:     my @hostids= &Apache::lonnet::get_hosts_from_ip($reqhost);
                     73:     my @poss_domains = &Apache::lonnet::current_machine_domains();
                     74:     if (@hostids > 0) {
                     75:         foreach my $id (@hostids) {
                     76:             if ($id ne '') {
                     77:                 my $dom = &Apache::lonnet::host_domain($id);
                     78:                 if ($dom ne '') {
                     79:                     if (grep(/^\Q$dom\E$/,@poss_domains)) {
                     80:                         return OK;
                     81:                     }
                     82:                 }
                     83:             }
                     84:         }
1.4     ! raeburn    85:     } elsif (&LONCAPA::lonauthcgi::check_ipbased_access($page,$reqhost)) {
1.1       raeburn    86:         return OK;
                     87:     } else {
1.2       raeburn    88:         if (&LONCAPA::loncgi::check_cookie_and_load_env($r)) {
1.4     ! raeburn    89:             if (&LONCAPA::lonauthcgi::can_view($page)) {
1.1       raeburn    90:                 return OK;
                     91:             }
                     92:         }
                     93:     }
                     94:     $r->log_reason("Invalid request for server status from $reqhost",
                     95:                    $r->uri);
                     96:     return FORBIDDEN;
                     97: }
                     98: 
                     99: 1;
                    100: 
                    101: __END__
                    102: 
                    103: =head1 NAME
                    104: 
                    105: Apache::lonstatusacc - Access Handler for Apache's server-status page 
                    106: and also pages in lon-status directory.
                    107: 
                    108: =head1 SYNOPSIS
                    109: 
                    110: Invoked (for appropriate locations) by /etc/httpd/conf/loncapa_apache.conf
                    111: 
                    112:  PerlAccessHandler       Apache::lonstatusacc
                    113: 
                    114: =head1 INTRODUCTION
                    115: 
                    116: This module can support access control based on IP 
                    117: address, or based on Domain Configuration settings 
                    118: for authenticated users (via cookie).
                    119: 
                    120: The module is used for control of access to
                    121: (a) Apache's server-status page
                    122: (b) Status pages in the /home/httpd/html/lon-status directory
                    123:     which were generated as follows:
                    124:     (i) when loncron was last run 
                    125:         (index.html, loncron_simple.txt, loncstatus.txt, and londstatus.txt),
                    126:     (ii) when lonsql was last started 
                    127:          (mysql.txt - only on connection failure),
                    128:     (iii) when /usr/local/loncapa/bin/CHECKRPMS was last run 
                    129:          (checkrpms.txt),
                    130:     (iv) when ./UPDATE was run to install/update 
                    131:          (version.txt). 
                    132: (c) User environment information reported by /adm/test
                    133:  
                    134: This is part of the LearningOnline Network with CAPA project
                    135: described at http://www.lon-capa.org.
                    136: 
                    137: =head1 HANDLER SUBROUTINE
                    138: 
                    139: This routine is called by Apache and mod_perl.
                    140: 
                    141: The check for whether access is allowed for a specific page proceeds as follows:
                    142: 
                    143: (a) Access allowed for request from loopback address for any page.
                    144: 
                    145: (b) For any page except /adm/test, access allowed if at least one of the following applies:
                    146:     (a) If request is from a LON-CAPA server, if at least one domain hosted on 
                    147:         requesting machine is also a domain hosted on this server. 
                    148:     (b) IP address of requesting server is listed in domain configuration list
                    149:         of allowed machines for any of the domains hosted on this server
                    150:     (c) If requestor has an active LON-CAPA session -- checked using
                    151:         LONCAPA::loncgi::check_cookie_and_load_env() -- access allowed 
                    152:         AND one of the following is true:
                    153:         (i) Requestor has LON-CAPA superuser role
                    154:         (ii) Requestor's role is Domain Coordinator in one of the domains
                    155:              hosted on this server
                    156:         (iii) Domain configurations for domains hosted on this server include
                    157:               the requestor as one of the named users (username:domain) with access
                    158:               to the page.
                    159: 
                    160: (c) /adm/test
                    161:     Access requires a valid session - checked using 
                    162:     LONCAPA::loncgi::check_cookie_and_load_env(). 
                    163:     If so, access is allowed if one of the following is true:
                    164:     (i) Requestor has LON-CAPA superuser role, or
                    165:     (ii) Requestor's role is Domain Coordinator in one of the domains
                    166:          hosted on this server
                    167:     (iii) Domain configurations for domains hosted on this server include
                    168:           the requestor as one of the named users (username:domain) with access
                    169:           to the page.
                    170:     (iv) IP address of requestor is listed in domain configuration list
                    171:          of allowed machines for any of the domains hosted on this server
                    172: 
                    173: =cut 
                    174: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>