1: #
2: # LON-CAPA authorization for pages generated by server-status reports
3: #
4: # $Id: lonstatusacc.pm,v 1.1 2008/11/28 19:38:11 raeburn Exp $
5: #
6: # Copyright Michigan State University Board of Trustees
7: #
8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
9: #
10: # LON-CAPA is free software; you can redistribute it and/or modify
11: # it under the terms of the GNU General Public License as published by
12: # the Free Software Foundation; either version 2 of the License, or
13: # (at your option) any later version.
14: #
15: # LON-CAPA is distributed in the hope that it will be useful,
16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18: # GNU General Public License for more details.
19: #
20: # You should have received a copy of the GNU General Public License
21: # along with LON-CAPA; if not, write to the Free Software
22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23: #
24: # /home/httpd/html/adm/gpl.txt
25: #
26: # http://www.lon-capa.org/
27: #
28: #############################################
29: #############################################
30:
31: package Apache::lonstatusacc;
32:
33: use strict;
34: use Apache::Constants qw(:common :remotehost);
35: use Apache::lonnet;
36: use LONCAPA::loncgi;
37:
38: sub handler {
39: my $r = shift;
40: my $reqhost = $r->get_remote_host(REMOTE_NOLOOKUP);
41: my $page = 'serverstatus';
42: if ($r->uri eq '/adm/test') {
43: $page = 'showenv';
44: if (&LONCAPA::loncgi::check_cookie_and_load_env()) {
45: if (&LONCAPA::loncgi::can_view($page)) {
46: return OK;
47: } elsif (&LONCAPA::loncgi::check_ipbased_access($page,$reqhost)) {
48: return OK;
49: }
50: }
51: } elsif ($r->uri ne '/server-status') {
52: $page = 'lonstatus';
53: if (!-e $r->filename) {
54: return NOT_FOUND;
55: }
56: }
57: if ($reqhost eq '127.0.0.1') {
58: return OK;
59: }
60: my @hostids= &Apache::lonnet::get_hosts_from_ip($reqhost);
61: my @poss_domains = &Apache::lonnet::current_machine_domains();
62: if (@hostids > 0) {
63: foreach my $id (@hostids) {
64: if ($id ne '') {
65: my $dom = &Apache::lonnet::host_domain($id);
66: if ($dom ne '') {
67: if (grep(/^\Q$dom\E$/,@poss_domains)) {
68: return OK;
69: }
70: }
71: }
72: }
73: } elsif (&LONCAPA::loncgi::check_ipbased_access($page,$reqhost)) {
74: return OK;
75: } else {
76: if (&LONCAPA::loncgi::check_cookie_and_load_env($page)) {
77: if (&LONCAPA::loncgi::can_view($page)) {
78: return OK;
79: }
80: }
81: }
82: $r->log_reason("Invalid request for server status from $reqhost",
83: $r->uri);
84: return FORBIDDEN;
85: }
86:
87: 1;
88:
89: __END__
90:
91: =head1 NAME
92:
93: Apache::lonstatusacc - Access Handler for Apache's server-status page
94: and also pages in lon-status directory.
95:
96: =head1 SYNOPSIS
97:
98: Invoked (for appropriate locations) by /etc/httpd/conf/loncapa_apache.conf
99:
100: PerlAccessHandler Apache::lonstatusacc
101:
102: =head1 INTRODUCTION
103:
104: This module can support access control based on IP
105: address, or based on Domain Configuration settings
106: for authenticated users (via cookie).
107:
108: The module is used for control of access to
109: (a) Apache's server-status page
110: (b) Status pages in the /home/httpd/html/lon-status directory
111: which were generated as follows:
112: (i) when loncron was last run
113: (index.html, loncron_simple.txt, loncstatus.txt, and londstatus.txt),
114: (ii) when lonsql was last started
115: (mysql.txt - only on connection failure),
116: (iii) when /usr/local/loncapa/bin/CHECKRPMS was last run
117: (checkrpms.txt),
118: (iv) when ./UPDATE was run to install/update
119: (version.txt).
120: (c) User environment information reported by /adm/test
121:
122: This is part of the LearningOnline Network with CAPA project
123: described at http://www.lon-capa.org.
124:
125: =head1 HANDLER SUBROUTINE
126:
127: This routine is called by Apache and mod_perl.
128:
129: The check for whether access is allowed for a specific page proceeds as follows:
130:
131: (a) Access allowed for request from loopback address for any page.
132:
133: (b) For any page except /adm/test, access allowed if at least one of the following applies:
134: (a) If request is from a LON-CAPA server, if at least one domain hosted on
135: requesting machine is also a domain hosted on this server.
136: (b) IP address of requesting server is listed in domain configuration list
137: of allowed machines for any of the domains hosted on this server
138: (c) If requestor has an active LON-CAPA session -- checked using
139: LONCAPA::loncgi::check_cookie_and_load_env() -- access allowed
140: AND one of the following is true:
141: (i) Requestor has LON-CAPA superuser role
142: (ii) Requestor's role is Domain Coordinator in one of the domains
143: hosted on this server
144: (iii) Domain configurations for domains hosted on this server include
145: the requestor as one of the named users (username:domain) with access
146: to the page.
147:
148: (c) /adm/test
149: Access requires a valid session - checked using
150: LONCAPA::loncgi::check_cookie_and_load_env().
151: If so, access is allowed if one of the following is true:
152: (i) Requestor has LON-CAPA superuser role, or
153: (ii) Requestor's role is Domain Coordinator in one of the domains
154: hosted on this server
155: (iii) Domain configurations for domains hosted on this server include
156: the requestor as one of the named users (username:domain) with access
157: to the page.
158: (iv) IP address of requestor is listed in domain configuration list
159: of allowed machines for any of the domains hosted on this server
160:
161: =cut
162:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lonstatusacc.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / auth