loncom/auth/lonwebdavacc.pm - view

File: [LON-CAPA] / loncom / auth / lonwebdavacc.pm
Revision 1.5: download - view: text, annotated - select for diffs
Fri May 29 20:00:49 2015 UTC (8 years, 11 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_11_2_uiuc, version_2_11_2_educog, version_2_11_2, version_2_11_1, HEAD

- Single Sign On needs to be able to interface with Apache Basic Auth
  in order to support webDAV clients.
- For now SSO is not supported with webDAV in LON-CAPA.
- Discontinue use of call to &sso_login() in lonwebdavacc.pm

1: # The LearningOnline Network 2: # Authorization Handler for webDAV access to Authoring Space. 3: # 4: # $Id: lonwebdavacc.pm,v 1.5 2015/05/29 20:00:49 raeburn Exp $ 5: # 6: # Copyright Michigan State University Board of Trustees 7: # 8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA). 9: # 10: # LON-CAPA is free software; you can redistribute it and/or modify 11: # it under the terms of the GNU General Public License as published by 12: # the Free Software Foundation; either version 2 of the License, or 13: # (at your option) any later version. 14: # 15: # LON-CAPA is distributed in the hope that it will be useful, 16: # but WITHOUT ANY WARRANTY; without even the implied warranty of 17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18: # GNU General Public License for more details. 19: # 20: # You should have received a copy of the GNU General Public License 21: # along with LON-CAPA; if not, write to the Free Software 22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23: # 24: # /home/httpd/html/adm/gpl.txt 25: # 26: # http://www.lon-capa.org/ 27: # 28: 29: =pod 30: 31: =head1 NAME 32: 33: Apache::lonwebdavacc - webDAV Authorization Handler 34: 35: =head1 SYNOPSIS 36: 37: Invoked for ^/+webdav/[\w\-.]+/\w[\w.\-\@]+/ by 38: /etc/httpd/conf/loncapa_apache.conf: 39: 40: PerlAccessHandler Apache::lonwebdavacc 41: 42: =head1 INTRODUCTION 43: 44: This module enables authorization for authoring space 45: and is used to control access for the following type of URI: 46: 47: <LocationMatch "^/+webdav/[\w\-.]+/\w[\w.\-\@]+/"> 48: 49: This module is only called following successful authentication. 50: Successful authentication will have created a session file and 51: transferred the contents to the user's environment. 52: 53: Note: because Apache Basic Auth is used for authentication 54: webDAV access is only available for servers running Apache with SSL. 55: 56: This is part of the LearningOnline Network with CAPA project 57: described at http://www.lon-capa.org. 58: 59: =head1 HANDLER SUBROUTINE 60: 61: This routine is called by Apache and mod_perl. 62: 63: =over 4 64: 65: =item * 66: 67: Checks if $env{'user.environment'} is defined. 68: 69: =item * 70: 71: If no %env, calls Apache::lonnet::check_for_valid_session() 72: to retrieve a valid sessionID (webDAV client needs to support 73: cookies for session retrieval to be successful). If a session is 74: found Apache::lonnet::transfer_profile_to_env() is called 75: to populate %env. 76: 77: =item * 78: 79: Checks if requested URL (of form /webdav/authordomain/authorname) is valid 80: and whether authenticated user has an active author or co-author 81: role in the corresponding Authoring Space. 82: 83: =back 84: 85: =head1 NOTABLE SUBROUTINES 86: 87: =over 88: 89: =item * sso_login() 90: 91: =over 92: 93: =item * 94: 95: Not currently used. 96: 97: =item * 98: 99: Checks if $r->user contains a valid user. 100: 101: =item * 102: 103: Domain is set either from lonSSOUserDomain perlvar (if defined) 104: or from lonDefDomain perlvar. 105: 106: =item * 107: 108: For a valid user a new session file and is created, and the corresponding 109: cookie is returned to the client in an Apache response header. 110: 111: =back 112: 113: =back 114: 115: =cut 116: 117: package Apache::lonwebdavacc; 118: 119: use strict; 120: use GDBM_File; 121: use Apache::Constants qw(:common :http :methods); 122: use Apache::lonnet; 123: use Apache::londiff(); 124: use LONCAPA qw(:DEFAULT :match); 125: 126: sub handler { 127: my $r = shift; 128: my $timetolive = 600; 129: my $now = time; 130: my $sessiondir=$r->dir_config('lonDAVsessDir'); 131: 132: my ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/}); 133: my $author = "$aname:$adom"; 134: unless ($env{'user.environment'}) { 135: my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV'); 136: if ($handle ne '') { 137: &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle); 138: } else { 139: return FORBIDDEN; 140: } 141: } 142: my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'}); 143: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) { 144: return FORBIDDEN; 145: } 146: 147: my $docroot = $r->dir_config('lonDocRoot'); 148: if ($adom eq '' || $aname eq '') { 149: return FORBIDDEN; 150: } elsif (!-d "$docroot/priv/$adom/$aname") { 151: return FORBIDDEN; 152: } 153: my $allowed; 154: if (($env{'user.name'} eq $aname) && ($env{'user.domain'} eq $adom)) { 155: if ($env{"user.role.au./$adom/"}) { 156: $allowed = 1; 157: } 158: } else { 159: if (($env{"user.role.ca./$adom/$aname"}) || 160: (env{"user.role.aa./$adom/$aname"})) { 161: $allowed = 1; 162: } 163: } 164: if ($allowed) { 165: my $method = $r->method(); 166: if (($r->filename =~ /.+\.(log|bak|meta|save)$/) || ($r->filename =~ /\.\d+\.\w+$/) || 167: ($r->filename =~ m{/\.+[^_/]+$})) { 168: if (($method eq 'MKCOL') || ($method eq 'PUT')) { 169: return FORBIDDEN; 170: } elsif ($method eq 'MOVE') { 171: if (($r->filename =~ /\.\d+\.\w+$/) || ($r->filename =~ m{/\.+[^_/]+$})) { 172: return FORBIDDEN; 173: } 174: } 175: } 176: if (($method eq 'DELETE') || ($method eq 'MOVE')) { 177: unless (($r->filename =~ m{/\._[^/]+$}) || ($r->filename =~ m{/\.DS_Store$})) { 178: my $dirptr=16384; 179: my ($cmode,$cmtime)=(stat($r->filename))[2,9]; 180: if (($cmode&$dirptr)) { 181: my $numpub = 0; 182: $numpub = &recurse_dir($r->filename,$r->dir_config('lonDocRoot'),$numpub); 183: if ($numpub) { 184: return FORBIDDEN; 185: } 186: } else { 187: if ($r->filename =~ /^(.+)\.(log|bak|save|meta)$/) { 188: my $conjugate = $1; 189: my $type = $2; 190: if (($type eq 'log') || ($type eq 'meta')) { 191: if (-e $conjugate) { 192: my $conjstatus = &pubstatus($conjugate,$r->dir_config('lonDocRoot')); 193: unless (($conjstatus eq 'unpublished') || ($conjstatus eq 'obsolete')) { 194: return FORBIDDEN; 195: } 196: } 197: } 198: } else { 199: my $status = &pubstatus($r->filename,$r->dir_config('lonDocRoot')); 200: unless (($status eq 'unpublished') || ($status eq 'obsolete')) { 201: return FORBIDDEN; 202: } 203: } 204: } 205: } 206: } 207: return OK; 208: } 209: return FORBIDDEN; 210: } 211: 212: sub sso_login { 213: my ($r,$sessiondir,$now,$timetolive,$author) = @_; 214: my ($uname,$udom); 215: my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/); 216: unless ($uname =~ /^$match_username$/) { 217: return; 218: } 219: $udom = $r->dir_config('lonSSOUserDomain'); 220: if ($udom eq '') { 221: $udom = $r->dir_config('lonDefDomain'); 222: } 223: unless (($udom =~ /^$match_domain$/)) { 224: return; 225: } 226: my $uhome = &Apache::lonnet::homeserver($uname,$udom); 227: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) { 228: return; 229: } 230: my $handle = 231: &Apache::lonwebdavauth::init_webdav_env($r,$sessiondir,$uname,$udom, 232: $uhome,$now,$timetolive,$author); 233: if ($handle ne '') { 234: if (&Apache::lonnet::usertools_access($uname,$udom,'webdav')) { 235: my ($webdav) = 236: ($r->uri =~ m{^(/webdav/$match_domain/$match_username/)}); 237: &Apache::lonnet::log($udom,$uname,$uhome, 238: "SSO log-in to $webdav from $ENV{'REMOTE_ADDR'}"); 239: my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;"; 240: $r->header_out('Set-cookie' => $cookie); 241: $r->send_http_header; 242: } 243: } 244: return ($handle); 245: } 246: 247: sub pubstatus { 248: my ($fn,$docroot,$cmtime) = @_; 249: my $privfn = $fn; 250: my $thisdisfn = $fn; 251: $thisdisfn=~s/^\Q$docroot\E\/priv//; 252: my $resfn=$docroot.'/res'.$thisdisfn; 253: my $targetfn = '/res'.$thisdisfn; 254: my $status = 'unpublished'; 255: if (-e $resfn) { 256: $status = 'published'; 257: my $same = 0; 258: if ((stat($resfn))[9] >= $cmtime) { 259: $same = 1; 260: } else { 261: if (&Apache::londiff::are_different_files($resfn,$privfn)) { 262: $same = 0; 263: } else { 264: $same = 1; 265: } 266: } 267: if ($same) { 268: if (&Apache::lonnet::metadata($targetfn,'obsolete')) { 269: $status = 'obsolete'; 270: } 271: } 272: } 273: return $status; 274: } 275: 276: sub recurse_dir { 277: my ($dirname,$docroot,$numpub) = @_; 278: $dirname =~ s{/$}{}; 279: my $dirptr=16384; 280: if (opendir(my $dirh,$dirname)) { 281: my @items = readdir($dirh); 282: closedir($dirh); 283: foreach my $item (@items) { 284: next if ($item =~ /.+\.(log|bak|save|meta)$/); 285: next if ($item =~ /^\.+/); 286: my ($cmode,$cmtime)=(stat("$dirname/$item"))[2,9]; 287: if (!($cmode&$dirptr)) { 288: if (&pubstatus("$dirname/$item",$docroot,$cmtime) eq 'published') { 289: $numpub ++; 290: } 291: } else { 292: $numpub = &recurse_dir("$dirname/$item",$docroot,$numpub); 293: } 294: } 295: } 296: return $numpub; 297: } 298: 299: 1;