--- loncom/lond 2016/09/27 16:30:24 1.489.2.25 +++ loncom/lond 2018/04/29 00:40:49 1.489.2.29 @@ -2,7 +2,7 @@ # The LearningOnline Network # lond "LON Daemon" Server (port "LOND" 5663) # -# $Id: lond,v 1.489.2.25 2016/09/27 16:30:24 raeburn Exp $ +# $Id: lond,v 1.489.2.29 2018/04/29 00:40:49 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -64,7 +64,7 @@ my $DEBUG = 0; # Non zero to ena my $status=''; my $lastlog=''; -my $VERSION='$Revision: 1.489.2.25 $'; #' stupid emacs +my $VERSION='$Revision: 1.489.2.29 $'; #' stupid emacs my $remoteVERSION; my $currenthostid="default"; my $currentdomainid; @@ -1430,12 +1430,14 @@ sub du2_handler { # # 1. for a directory, and the path does not begin with one of: # (a) /home/httpd/html/res/ -# (b) /home/httpd/html/res/userfiles/ +# (b) /home/httpd/html/userfiles/ # (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles # or is: # -# 2. for a file, and the path (after prepending) does not begin with: -# /home/httpd/lonUsers//<1>/<2>/<3>// +# 2. for a file, and the path (after prepending) does not begin with one of: +# (a) /home/httpd/lonUsers//<1>/<2>/<3>// +# (b) /home/httpd/html/res/// +# (c) /home/httpd/html/userfiles/// # # the response will be "refused". # @@ -1466,8 +1468,8 @@ sub ls_handler { } if (-e $ulsdir) { if(-d $ulsdir) { - unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || - ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/})) { + unless (($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || + ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles})) { &Failure($client,"refused\n",$userinput); return 1; } @@ -1494,7 +1496,8 @@ sub ls_handler { closedir(LSDIR); } } else { - unless ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/}) { + unless (($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) || + ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/})) { &Failure($client,"refused\n",$userinput); return 1; } @@ -1527,12 +1530,14 @@ sub ls_handler { # # 1. for a directory, and the path does not begin with one of: # (a) /home/httpd/html/res/ -# (b) /home/httpd/html/res/userfiles/ +# (b) /home/httpd/html/userfiles/ # (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles # or is: # -# 2. for a file, and the path (after prepending) does not begin with: -# /home/httpd/lonUsers//<1>/<2>/<3>// +# 2. for a file, and the path (after prepending) does not begin with one of: +# (a) /home/httpd/lonUsers//<1>/<2>/<3>// +# (b) /home/httpd/html/res/// +# (c) /home/httpd/html/userfiles/// # # the response will be "refused". # @@ -1562,8 +1567,8 @@ sub ls2_handler { } if (-e $ulsdir) { if(-d $ulsdir) { - unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || - ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/})) { + unless (($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || + ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles})) { &Failure($client,"refused\n","$userinput"); return 1; } @@ -1591,7 +1596,8 @@ sub ls2_handler { closedir(LSDIR); } } else { - unless ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/}) { + unless (($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) || + ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/})) { &Failure($client,"refused\n",$userinput); return 1; } @@ -1616,14 +1622,17 @@ sub ls2_handler { # # 1. for a directory, and the path does not begin with one of: # (a) /home/httpd/html/res/ -# (b) /home/httpd/html/res/userfiles/ +# (b) /home/httpd/html/userfiles/ # (c) /home/httpd/lonUsers//<1>/<2>/<3>//userfiles -# (d) /home/httpd/html/priv// and client is the homeserver +# (d) /home/httpd/html/priv/ and client is the homeserver # # or is: # -# 2. for a file, and the path (after prepending) does not begin with: -# /home/httpd/lonUsers//<1>/<2>/<3>// +# 2. for a file, and the path (after prepending) does not begin with one of: +# (a) /home/httpd/lonUsers//<1>/<2>/<3>// +# (b) /home/httpd/html/res/// +# (c) /home/httpd/html/userfiles/// +# (d) /home/httpd/html/priv/// and client is the homeserver # # the response will be "refused". # @@ -1700,9 +1709,9 @@ sub ls3_handler { if (-e $ulsdir) { if(-d $ulsdir) { unless (($getpropath) || ($getuserdir) || - ($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || - ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/}) || - (($ulsdir =~ m{/home/httpd/html/priv/$LONCAPA::match_domain/}) && ($islocal))) { + ($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) || + ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles}) || + (($ulsdir =~ m{^/home/httpd/html/priv/$LONCAPA::match_domain}) && ($islocal))) { &Failure($client,"refused\n",$userinput); return 1; } @@ -1731,7 +1740,9 @@ sub ls3_handler { } } else { unless (($getpropath) || ($getuserdir) || - ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/})) { + ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) || + ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/}) || + (($ulsdir =~ m{^/home/httpd/html/priv/$LONCAPA::match_domain/$LONCAPA::match_name/}) && ($islocal))) { &Failure($client,"refused\n",$userinput); return 1; } @@ -2151,12 +2162,8 @@ sub hash_passwd { my $plainsalt = substr($rest[1],0,22); $salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt); } else { - my $defaultcost; - my %domconfig = - &Apache::lonnet::get_dom('configuration',['password'],$domain); - if (ref($domconfig{'password'}) eq 'HASH') { - $defaultcost = $domconfig{'password'}{'cost'}; - } + my %domdefaults = &Apache::lonnet::get_domain_defaults($domain); + my $defaultcost = $domdefaults{'intauth_cost'}; if (($defaultcost eq '') || ($defaultcost =~ /D/)) { $cost = 10; } else { @@ -3794,6 +3801,37 @@ sub send_query_handler { my ($query,$arg1,$arg2,$arg3)=split(/\:/,$tail); $query=~s/\n*$//g; + if (($query eq 'usersearch') || ($query eq 'instdirsearch')) { + my $usersearchconf = &get_usersearch_config($currentdomainid,'directorysrch'); + my $earlyout; + if (ref($usersearchconf) eq 'HASH') { + if ($currentdomainid eq $clienthomedom) { + if ($query eq 'usersearch') { + if ($usersearchconf->{'lcavailable'} eq '0') { + $earlyout = 1; + } + } else { + if ($usersearchconf->{'available'} eq '0') { + $earlyout = 1; + } + } + } else { + if ($query eq 'usersearch') { + if ($usersearchconf->{'lclocalonly'}) { + $earlyout = 1; + } + } else { + if ($usersearchconf->{'localonly'}) { + $earlyout = 1; + } + } + } + } + if ($earlyout) { + &Reply($client, "query_not_authorized\n"); + return 1; + } + } &Reply($client, "". &sql_reply("$clientname\&$query". "\&$arg1"."\&$arg2"."\&$arg3")."\n", $userinput); @@ -5350,9 +5388,10 @@ sub validate_course_section_handler { # Formal Parameters: # $cmd - The command request that got us dispatched. # $tail - The tail of the command. In this case this is a colon separated -# set of words that will be split into: +# set of values that will be split into: # $inst_class - Institutional code for the specific class section -# $courseowner - The escaped username:domain of the course owner +# $ownerlist - An escaped comma-separated list of username:domain +# of the course owner, and co-owner(s). # $cdom - The domain of the course from the institution's # point of view. # $client - The socket open on the client. @@ -5377,6 +5416,56 @@ sub validate_class_access_handler { ®ister_handler("autovalidateclass_sec", \&validate_class_access_handler, 0, 1, 0); # +# Validate course owner or co-owners(s) access to enrollment data for all sections +# and crosslistings for a particular course. +# +# +# Formal Parameters: +# $cmd - The command request that got us dispatched. +# $tail - The tail of the command. In this case this is a colon separated +# set of values that will be split into: +# $ownerlist - An escaped comma-separated list of username:domain +# of the course owner, and co-owner(s). +# $cdom - The domain of the course from the institution's +# point of view. +# $classes - Frozen hash of institutional course sections and +# crosslistings. +# $client - The socket open on the client. +# Returns: +# 1 - continue processing. +# + +sub validate_classes_handler { + my ($cmd, $tail, $client) = @_; + my $userinput = "$cmd:$tail"; + my ($ownerlist,$cdom,$classes) = split(/:/, $tail); + my $classesref = &Apache::lonnet::thaw_unescape($classes); + my $owners = &unescape($ownerlist); + my $result; + eval { + local($SIG{__DIE__})='DEFAULT'; + my %validations; + my $response = &localenroll::check_instclasses($owners,$cdom,$classesref, + \%validations); + if ($response eq 'ok') { + foreach my $key (keys(%validations)) { + $result .= &escape($key).'='.&Apache::lonnet::freeze_escape($validations{$key}).'&'; + } + $result =~ s/\&$//; + } else { + $result = 'error'; + } + }; + if (!$@) { + &Reply($client, \$result, $userinput); + } else { + &Failure($client,"unknown_cmd\n",$userinput); + } + return 1; +} +®ister_handler("autovalidateinstclasses", \&validate_classes_handler, 0, 1, 0); + +# # Create a password for a new LON-CAPA user added by auto-enrollment. # Only used for case where authentication method for new user is localauth # @@ -6938,7 +7027,6 @@ sub make_new_child { ."Attempted insecure connection disallowed "); close $client; $clientok = 0; - } } } else { @@ -6947,7 +7035,6 @@ sub make_new_child { ."$clientip failed to initialize: >$remotereq< "); &status('No init '.$clientip); } - } else { &logthis( "WARNING: Unknown client $clientip"); @@ -7105,15 +7192,25 @@ sub password_filename { # domain - domain of the user. # name - User's name. # contents - New contents of the file. +# saveold - (optional). If true save old file in a passwd.bak file. # Returns: # 0 - Failed. # 1 - Success. # sub rewrite_password_file { - my ($domain, $user, $contents) = @_; + my ($domain, $user, $contents, $saveold) = @_; my $file = &password_filename($domain, $user); if (defined $file) { + if ($saveold) { + my $bakfile = $file.'.bak'; + if (CopyFile($file,$bakfile)) { + chmod(0400,$bakfile); + &logthis("Old password saved in passwd.bak for internally authenticated user: $user:$domain"); + } else { + &logthis("Failed to save old password in passwd.bak for internally authenticated user: $user:$domain"); + } + } my $pf = IO::File->new(">$file"); if($pf) { print $pf "$contents\n"; @@ -7204,20 +7301,27 @@ sub validate_user { $contentpwd = $domdefaults{'auth_arg_def'}; } } - } + } if ($howpwd ne 'nouser') { if($howpwd eq "internal") { # Encrypted is in local password file. if (length($contentpwd) == 13) { $validated = (crypt($password,$contentpwd) eq $contentpwd); if ($validated) { - my $ncpass = &hash_passwd($domain,$password); - if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass")) { - &update_passwd_history($user,$domain,$howpwd,'conversion'); - &logthis("Validated password hashed with bcrypt for $user:$domain"); + my %domdefaults = &Apache::lonnet::get_domain_defaults($domain); + if ($domdefaults{'intauth_switch'}) { + my $ncpass = &hash_passwd($domain,$password); + my $saveold; + if ($domdefaults{'intauth_switch'} == 2) { + $saveold = 1; + } + if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass",$saveold)) { + &update_passwd_history($user,$domain,$howpwd,'conversion'); + &logthis("Validated password hashed with bcrypt for $user:$domain"); + } } } } else { - $validated = &check_internal_passwd($password,$contentpwd,$domain); + $validated = &check_internal_passwd($password,$contentpwd,$domain,$user); } } elsif ($howpwd eq "unix") { # User is a normal unix user. @@ -7287,24 +7391,35 @@ sub validate_user { } sub check_internal_passwd { - my ($plainpass,$stored,$domain) = @_; + my ($plainpass,$stored,$domain,$user) = @_; my (undef,$method,@rest) = split(/!/,$stored); - if ($method eq "bcrypt") { + if ($method eq 'bcrypt') { my $result = &hash_passwd($domain,$plainpass,@rest); if ($result ne $stored) { return 0; } - # Upgrade to a larger number of rounds if necessary - my $defaultcost; - my %domconfig = - &Apache::lonnet::get_dom('configuration',['password'],$domain); - if (ref($domconfig{'password'}) eq 'HASH') { - $defaultcost = $domconfig{'password'}{'cost'}; - } - if (($defaultcost eq '') || ($defaultcost =~ /D/)) { - $defaultcost = 10; + my %domdefaults = &Apache::lonnet::get_domain_defaults($domain); + if ($domdefaults{'intauth_check'}) { + # Upgrade to a larger number of rounds if necessary + my $defaultcost = $domdefaults{'intauth_cost'}; + if (($defaultcost eq '') || ($defaultcost =~ /D/)) { + $defaultcost = 10; + } + if (int($rest[0])