1: # The LearningOnline Network
2: # Authorization Handler for webDAV access to Authoring Space.
3: #
4: # $Id: lonwebdavacc.pm,v 1.4 2015/05/29 18:42:01 raeburn Exp $
5: #
6: # Copyright Michigan State University Board of Trustees
7: #
8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
9: #
10: # LON-CAPA is free software; you can redistribute it and/or modify
11: # it under the terms of the GNU General Public License as published by
12: # the Free Software Foundation; either version 2 of the License, or
13: # (at your option) any later version.
14: #
15: # LON-CAPA is distributed in the hope that it will be useful,
16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18: # GNU General Public License for more details.
19: #
20: # You should have received a copy of the GNU General Public License
21: # along with LON-CAPA; if not, write to the Free Software
22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23: #
24: # /home/httpd/html/adm/gpl.txt
25: #
26: # http://www.lon-capa.org/
27: #
28:
29: =pod
30:
31: =head1 NAME
32:
33: Apache::lonwebdavacc - webDAV Authorization Handler
34:
35: =head1 SYNOPSIS
36:
37: Invoked for ^/+webdav/[\w\-.]+/\w[\w.\-\@]+/ by
38: /etc/httpd/conf/loncapa_apache.conf:
39:
40: PerlAccessHandler Apache::lonwebdavacc
41:
42: =head1 INTRODUCTION
43:
44: This module enables authorization for authoring space
45: and is used to control access for the following type of URI:
46:
47: <LocationMatch "^/+webdav/[\w\-.]+/\w[\w.\-\@]+/">
48:
49: This module is only called following successful authentication.
50: Unless lonOtherAuthen has been set, so Single Sign On can be used,
51: successful authentication will have created a session file and
52: transferred the contents to the user's environment.
53:
54: In the case of SSO, there is no existing user environment, but
55: $r->user will have been set to the user's username, following
56: successful authentication. For SSO, the webDAV session file
57: and environment are set up by a call to
58: Apache::lonwebdavauth::init_webdav_env().
59:
60: Note: because Apache Basic Auth is used for authentication (unless SSO)
61: webDAV access is only available for servers running Apache with SSL.
62:
63: This is part of the LearningOnline Network with CAPA project
64: described at http://www.lon-capa.org.
65:
66: =head1 HANDLER SUBROUTINE
67:
68: This routine is called by Apache and mod_perl.
69:
70: =over 4
71:
72: =item *
73:
74: Checks if $env{'user.environment'} is defined.
75:
76: =item *
77:
78: If no %env, this was SSO authentication so call to &sso_login() to
79: create session, and return cookie.
80:
81: =item *
82:
83: Checks if requested URL (of form /webdav/authordomain/authorname) is valid
84: and whether authenticated user has an active author or co-author
85: role in the corresonding Author Space.
86:
87: =back
88:
89: =head1 NOTABLE SUBROUTINES
90:
91: =over
92:
93: =item * sso_login()
94:
95: =over
96:
97: =item *
98:
99: Called if no user.environment exists in %env.
100:
101: =item *
102:
103: Checks if $r->user contains a valid user.
104:
105: =item *
106:
107: Domain is set either from lonSSOUserDomain perlvar (if defined)
108: or from lonDefDomain perlvar.
109:
110: =item *
111:
112: For a valid user a new session file and is created, and the corresponding
113: cookie is returned to the client in an Apache response header.
114:
115: =back
116:
117: =back
118:
119: =cut
120:
121: package Apache::lonwebdavacc;
122:
123: use strict;
124: use GDBM_File;
125: use Apache::Constants qw(:common :http :methods);
126: use Apache::lonnet;
127: use Apache::londiff();
128: use LONCAPA qw(:DEFAULT :match);
129:
130: sub handler {
131: my $r = shift;
132: my $timetolive = 600;
133: my $now = time;
134: my $sessiondir=$r->dir_config('lonDAVsessDir');
135:
136: my ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
137: my $author = "$aname:$adom";
138: unless ($env{'user.environment'}) {
139: my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
140: if ($handle eq '') {
141: $handle = &sso_login($r,$sessiondir,$now,$timetolive,$author);
142: if ($handle eq '') {
143: return FORBIDDEN;
144: }
145: } else {
146: &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
147: }
148: }
149: my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'});
150: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
151: return FORBIDDEN;
152: }
153:
154: my $docroot = $r->dir_config('lonDocRoot');
155: if ($adom eq '' || $aname eq '') {
156: return FORBIDDEN;
157: } elsif (!-d "$docroot/priv/$adom/$aname") {
158: return FORBIDDEN;
159: }
160: my $allowed;
161: if (($env{'user.name'} eq $aname) && ($env{'user.domain'} eq $adom)) {
162: if ($env{"user.role.au./$adom/"}) {
163: $allowed = 1;
164: }
165: } else {
166: if (($env{"user.role.ca./$adom/$aname"}) ||
167: (env{"user.role.aa./$adom/$aname"})) {
168: $allowed = 1;
169: }
170: }
171: if ($allowed) {
172: my $method = $r->method();
173: if (($r->filename =~ /.+\.(log|bak|meta|save)$/) || ($r->filename =~ /\.\d+\.\w+$/) ||
174: ($r->filename =~ m{/\.+[^_/]+$})) {
175: if (($method eq 'MKCOL') || ($method eq 'PUT')) {
176: return FORBIDDEN;
177: } elsif ($method eq 'MOVE') {
178: if (($r->filename =~ /\.\d+\.\w+$/) || ($r->filename =~ m{/\.+[^_/]+$})) {
179: return FORBIDDEN;
180: }
181: }
182: }
183: if (($method eq 'DELETE') || ($method eq 'MOVE')) {
184: unless (($r->filename =~ m{/\._[^/]+$}) || ($r->filename =~ m{/\.DS_Store$})) {
185: my $dirptr=16384;
186: my ($cmode,$cmtime)=(stat($r->filename))[2,9];
187: if (($cmode&$dirptr)) {
188: my $numpub = 0;
189: $numpub = &recurse_dir($r->filename,$r->dir_config('lonDocRoot'),$numpub);
190: if ($numpub) {
191: return FORBIDDEN;
192: }
193: } else {
194: if ($r->filename =~ /^(.+)\.(log|bak|save|meta)$/) {
195: my $conjugate = $1;
196: my $type = $2;
197: if (($type eq 'log') || ($type eq 'meta')) {
198: if (-e $conjugate) {
199: my $conjstatus = &pubstatus($conjugate,$r->dir_config('lonDocRoot'));
200: unless (($conjstatus eq 'unpublished') || ($conjstatus eq 'obsolete')) {
201: return FORBIDDEN;
202: }
203: }
204: }
205: } else {
206: my $status = &pubstatus($r->filename,$r->dir_config('lonDocRoot'));
207: unless (($status eq 'unpublished') || ($status eq 'obsolete')) {
208: return FORBIDDEN;
209: }
210: }
211: }
212: }
213: }
214: return OK;
215: }
216: return FORBIDDEN;
217: }
218:
219: sub sso_login {
220: my ($r,$sessiondir,$now,$timetolive,$author) = @_;
221: my ($uname,$udom);
222: my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);
223: unless ($uname =~ /^$match_username$/) {
224: return;
225: }
226: $udom = $r->dir_config('lonSSOUserDomain');
227: if ($udom eq '') {
228: $udom = $r->dir_config('lonDefDomain');
229: }
230: unless (($udom =~ /^$match_domain$/)) {
231: return;
232: }
233: my $uhome = &Apache::lonnet::homeserver($uname,$udom);
234: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
235: return;
236: }
237: my $handle =
238: &Apache::lonwebdavauth::init_webdav_env($r,$sessiondir,$uname,$udom,
239: $uhome,$now,$timetolive,$author);
240: if ($handle ne '') {
241: if (&Apache::lonnet::usertools_access($uname,$udom,'webdav')) {
242: my ($webdav) =
243: ($r->uri =~ m{^(/webdav/$match_domain/$match_username/)});
244: &Apache::lonnet::log($udom,$uname,$uhome,
245: "SSO log-in to $webdav from $ENV{'REMOTE_ADDR'}");
246: my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
247: $r->header_out('Set-cookie' => $cookie);
248: $r->send_http_header;
249: }
250: }
251: return ($handle);
252: }
253:
254: sub pubstatus {
255: my ($fn,$docroot,$cmtime) = @_;
256: my $privfn = $fn;
257: my $thisdisfn = $fn;
258: $thisdisfn=~s/^\Q$docroot\E\/priv//;
259: my $resfn=$docroot.'/res'.$thisdisfn;
260: my $targetfn = '/res'.$thisdisfn;
261: my $status = 'unpublished';
262: if (-e $resfn) {
263: $status = 'published';
264: my $same = 0;
265: if ((stat($resfn))[9] >= $cmtime) {
266: $same = 1;
267: } else {
268: if (&Apache::londiff::are_different_files($resfn,$privfn)) {
269: $same = 0;
270: } else {
271: $same = 1;
272: }
273: }
274: if ($same) {
275: if (&Apache::lonnet::metadata($targetfn,'obsolete')) {
276: $status = 'obsolete';
277: }
278: }
279: }
280: return $status;
281: }
282:
283: sub recurse_dir {
284: my ($dirname,$docroot,$numpub) = @_;
285: $dirname =~ s{/$}{};
286: my $dirptr=16384;
287: if (opendir(my $dirh,$dirname)) {
288: my @items = readdir($dirh);
289: closedir($dirh);
290: foreach my $item (@items) {
291: next if ($item =~ /.+\.(log|bak|save|meta)$/);
292: next if ($item =~ /^\.+/);
293: my ($cmode,$cmtime)=(stat("$dirname/$item"))[2,9];
294: if (!($cmode&$dirptr)) {
295: if (&pubstatus("$dirname/$item",$docroot,$cmtime) eq 'published') {
296: $numpub ++;
297: }
298: } else {
299: $numpub = &recurse_dir("$dirname/$item",$docroot,$numpub);
300: }
301: }
302: }
303: return $numpub;
304: }
305:
306: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lonwebdavacc.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / auth