Return to lonstatusacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

Changes to access control for /adm/test
- Access to /adm/test allowed if requestor has a DC role in requestor's domain,
  regardless of current role.
- For /adm/test, domain checked is requestor's domain, not domain(s) hosted on server.
- Update documentation.

    1: #
    2: # LON-CAPA authorization for pages generated by server-status reports 
    3: #
    4: # $Id: lonstatusacc.pm,v 1.7 2009/06/13 20:28:56 raeburn Exp $
    5: #
    6: # Copyright Michigan State University Board of Trustees
    7: #
    8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
    9: #
   10: # LON-CAPA is free software; you can redistribute it and/or modify
   11: # it under the terms of the GNU General Public License as published by
   12: # the Free Software Foundation; either version 2 of the License, or
   13: # (at your option) any later version.
   14: #
   15: # LON-CAPA is distributed in the hope that it will be useful,
   16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   18: # GNU General Public License for more details.
   19: #
   20: # You should have received a copy of the GNU General Public License
   21: # along with LON-CAPA; if not, write to the Free Software
   22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   23: #
   24: # /home/httpd/html/adm/gpl.txt
   25: #
   26: # http://www.lon-capa.org/
   27: #
   28: #############################################
   29: #############################################
   30: 
   31: package Apache::lonstatusacc;
   32: 
   33: use strict;
   34: use Apache::Constants qw(:common :http :remotehost);
   35: use Apache::lonnet;
   36: use LONCAPA::loncgi;
   37: use LONCAPA::lonauthcgi;
   38: 
   39: sub handler {
   40:     my $r = shift;
   41:     my $reqhost = $r->get_remote_host(REMOTE_NOLOOKUP);
   42:     my $page = 'server-status';
   43:     if (($r->uri eq '/adm/domainstatus') ||
   44:         ($r->uri eq '/adm/test')) {
   45:         if (&LONCAPA::loncgi::check_cookie_and_load_env($r)) {
   46:             if ($r->uri eq '/adm/domainstatus') {
   47:                 return OK;
   48:             } elsif ($r->uri eq '/adm/test') { 
   49:                 $page = 'showenv'; 
   50:                 if (&LONCAPA::lonauthcgi::can_view($page)) {
   51:                     return OK; 
   52:                 } elsif (&LONCAPA::lonauthcgi::check_ipbased_access($page,$reqhost)) {
   53:                     return OK;
   54:                 } else {
   55:                     $Apache::lonnet::env{'user.error.msg'} =
   56:                         $r->uri.":bre:1:1:Access Denied";
   57:                     return HTTP_NOT_ACCEPTABLE;
   58:                 }
   59:             }
   60:         } else {
   61:             return FORBIDDEN;
   62:         }
   63:     } elsif ($r->uri ne '/server-status') {
   64:         $page = 'lonstatus';
   65:         if (!-e $r->filename) {
   66:             return NOT_FOUND;
   67:         }
   68:     }
   69:     if ($reqhost eq '127.0.0.1') {
   70:         return OK;
   71:     }
   72:     my @hostids= &Apache::lonnet::get_hosts_from_ip($reqhost);
   73:     my @poss_domains = &Apache::lonnet::current_machine_domains();
   74:     if (@hostids > 0) {
   75:         foreach my $id (@hostids) {
   76:             if ($id ne '') {
   77:                 my $dom = &Apache::lonnet::host_domain($id);
   78:                 if ($dom ne '') {
   79:                     if (grep(/^\Q$dom\E$/,@poss_domains)) {
   80:                         return OK;
   81:                     }
   82:                 }
   83:             }
   84:         }
   85:     }
   86:     if (&LONCAPA::lonauthcgi::check_ipbased_access($page,$reqhost)) {
   87:         return OK;
   88:     }
   89:     if (&LONCAPA::loncgi::check_cookie_and_load_env($r)) {
   90:         if (&LONCAPA::lonauthcgi::can_view($page)) {
   91:             return OK;
   92:         }
   93:     }
   94:     $r->log_reason("Invalid request for server status from $reqhost",
   95:                    $r->uri);
   96:     return FORBIDDEN;
   97: }
   98: 
   99: 1;
  100: 
  101: __END__
  102: 
  103: =head1 NAME
  104: 
  105: Apache::lonstatusacc - Access Handler for Apache's server-status page 
  106: and also pages in lon-status directory.
  107: 
  108: =head1 SYNOPSIS
  109: 
  110: Invoked (for appropriate locations) by /etc/httpd/conf/loncapa_apache.conf
  111: 
  112:  PerlAccessHandler       Apache::lonstatusacc
  113: 
  114: =head1 INTRODUCTION
  115: 
  116: This module can support access control based on IP 
  117: address, or based on Domain Configuration settings 
  118: for authenticated users (via cookie).
  119: 
  120: The module is used for control of access to
  121: (a) Apache's server-status page
  122: (b) Status pages in the /home/httpd/html/lon-status directory
  123:     which were generated as follows:
  124:     (i) when loncron was last run 
  125:         (index.html, loncron_simple.txt, loncstatus.txt, and londstatus.txt),
  126:     (ii) when lonsql was last started 
  127:          (mysql.txt - only on connection failure),
  128:     (iii) when /usr/local/loncapa/bin/CHECKRPMS was last run 
  129:          (checkrpms.txt),
  130:     (iv) when ./UPDATE was run to install/update 
  131:          (version.txt). 
  132: (c) User environment information reported by /adm/test
  133:  
  134: This is part of the LearningOnline Network with CAPA project
  135: described at http://www.lon-capa.org.
  136: 
  137: =head1 HANDLER SUBROUTINE
  138: 
  139: This routine is called by Apache and mod_perl.
  140: 
  141: The check for whether access is allowed for a specific page proceeds as follows:
  142: 
  143: (a) Access allowed for request from loopback address for any page.
  144: 
  145: (b) For any page except /adm/test, access allowed if at least one of the following applies:
  146:     (a) If request is from a LON-CAPA server, if at least one domain hosted on 
  147:         requesting machine is also a domain hosted on this server. 
  148:     (b) IP address of requesting server is listed in domain configuration list
  149:         of allowed machines for any of the domains hosted on this server
  150:     (c) If requestor has an active LON-CAPA session -- checked using
  151:         LONCAPA::loncgi::check_cookie_and_load_env() -- access allowed 
  152:         AND one of the following is true:
  153:         (i) Requestor has LON-CAPA superuser role
  154:         (ii) Requestor's role is Domain Coordinator in one of the domains
  155:              hosted on this server
  156:         (iii) Domain configurations for domains hosted on this server include
  157:               the requestor as one of the named users (username:domain) with access
  158:               to the page.
  159: 
  160: (c) /adm/test
  161:     Access requires a valid session - checked using 
  162:     LONCAPA::loncgi::check_cookie_and_load_env(). 
  163:     If so, access is allowed if one of the following is true:
  164:     (i) Requestor's role is LON-CAPA superuser role.
  165:     (ii) Requestor has a Domain Coordinator role in the domain of the
  166:          requestor ($env{'user.domain'}), regardless of requestor's role.
  167:     (iii) Domain configurations for the domain of the current user include
  168:           the requestor as one of the named users (username:domain) with access
  169:           to the page.
  170:     (iv) IP address of requestor is listed in domain configuration list
  171:          of allowed IPs for the domain of the current user.
  172: 
  173: =cut 
  174: