--- loncom/lontrans.pm	2019/01/20 02:42:35	1.25
+++ loncom/lontrans.pm	2021/04/18 02:08:46	1.30
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # URL translation for User Files
 #
-# $Id: lontrans.pm,v 1.25 2019/01/20 02:42:35 raeburn Exp $
+# $Id: lontrans.pm,v 1.30 2021/04/18 02:08:46 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -29,8 +29,9 @@
 package Apache::lontrans;
 
 use strict;
-use Apache::Constants qw(:common :remotehost REDIRECT);
+use Apache::Constants qw(:common :remotehost);
 use Apache::lonnet;
+use Apache::loncommon;
 use Apache::File();
 use LONCAPA qw(:DEFAULT :match);
 
@@ -38,20 +39,83 @@ sub handler {
     my $r = shift;
     # FIXME line remove when mod_perl fixes BUG#4948
     $r->notes->set('error-notes' => '');
+    my $hdrhost = $r->headers_in->get('Host');
     if ($r->uri=~m{^/raw/}) {
-        my $host = $r->headers_in->get('Host');
-        if ($host) {
-            unless ($host =~ /^internal\-/) {
-                my $remote_ip = $r->get_remote_host();
+        if ($hdrhost) {
+            unless ($hdrhost =~ /^internal\-/) {
+                my $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
                 my $lonhost = $r->dir_config('lonHostID');
                 if (&redirect_raw($remote_ip,$lonhost)) {
-                    my $location = 'https://internal-'.$host.$r->uri;
+                    my $location = 'https://internal-'.$hdrhost.$r->uri;
                     $r->headers_out->set(Location => $location);
                     return REDIRECT;
                 }
             }
         }
     }
+    my $alias = &Apache::lonnet::get_proxy_alias();
+    if ($alias) {
+        my $lonhost = $r->dir_config('lonHostID');
+        my $hostname = &Apache::lonnet::hostname($lonhost);
+        if (($hdrhost eq $alias) || ($hdrhost eq $hostname)) {
+            my $proxyinfo = &Apache::lonnet::get_proxy_settings($r->dir_config('lonDefDomain'));
+            my ($vpnint,$vpnext);
+            if (ref($proxyinfo) eq 'HASH') {
+                $vpnint = $proxyinfo->{'vpnint'};
+                $vpnext = $proxyinfo->{'vpnext'};
+            }
+            my ($redirect,$remote_ip);
+            if ($hdrhost eq $alias) {
+                $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP);
+                if ($vpnext && &Apache::lonnet::ip_match($remote_ip,$vpnext)) {
+                    $redirect = $hostname;
+                    if ($redirect eq $hdrhost) {
+                        undef($redirect);
+                    }
+                }
+            } elsif ($hdrhost eq $hostname) {
+                $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
+                unless (($remote_ip eq '127.0.0.1') || ($remote_ip eq '::1') ||
+                        ($remote_ip eq &Apache::lonnet::get_host_ip($lonhost)) ||
+                        ($vpnint && &Apache::lonnet::ip_match($remote_ip,$vpnint))) {
+                    $redirect = $alias;
+                    if ($r->uri=~m{^/raw/}){
+                        my %iphost = &Apache::lonnet::get_iphost();
+                        if (exists($iphost{$remote_ip})) {
+                            undef($redirect);
+                        }
+                    }
+                }
+            }
+            if ($redirect) {
+                my $uri = $r->uri;
+                unless ($uri eq '/adm/migrateuser') {
+                    my %user;
+                    my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\%user);
+                    if (($handle) && ($user{'name'} ne '') && ($user{'domain'} ne '')) {
+                        my $token = &get_token($r,$remote_ip,\%user);
+                        unless ($token eq '') {
+                            $r->internal_redirect("/adm/migrateuser?token=$token");
+                            $r->set_handlers('PerlHandler'=> undef);
+                            return DECLINED;
+                        }
+                    }
+                }
+                my $protocol = 'http';
+                my $port = $r->get_server_port();
+                if ($port eq '443') {
+                    $protocol = 'https';
+                }
+                my $querystring = $r->args;
+                my $location = $protocol.'://'.$redirect.$uri;
+                if ($querystring) {
+                    $location .= "?$querystring";
+                }
+                $r->header_out(Location => $location);
+                return REDIRECT;
+            }
+        }
+    }
     if ($r->uri=~m|^(/raw)?/uploaded/|) {
         my $fn = $r->uri();
         $fn=~s/^\/raw//;
@@ -66,9 +130,12 @@ sub handler {
 			 '/userfiles/'.(join('/',@ufile)));
         }
         return OK;
-    } else {
-        return DECLINED;
+    } elsif ($r->uri =~ m{^\Q/adm/wrapper/ext/https:/\E[^/]}) {
+        my $uri = $r->uri;
+        $uri =~ s{^(\Q/adm/wrapper/ext/https:/\E)}{$1/};
+        $r->uri($uri);
     }
+    return DECLINED;
 }
 
 sub redirect_raw {
@@ -120,6 +187,44 @@ sub redirect_raw {
     return $redirect;
 }
 
+sub get_token {
+    my ($r,$remote_ip,$userref) = @_;
+    return unless (ref($userref) eq 'HASH');
+    my %user = %{$userref};
+    my %info = ('ip' => $remote_ip,
+                'domain'    => $user{'domain'},
+                'username'  => $user{'name'},
+                'server'    => $r->dir_config('lonHostID'),
+               );
+    my $query = $r->args;
+    if ($query) {
+        foreach my $pair (split(/&/,$query)) {
+            my ($name,$value) = split(/=/,$pair);
+            $name = &LONCAPA::unescape($name);
+            next unless (($name eq 'role') || ($name eq 'symb'));
+            $value =~ tr/+/ /;
+            $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
+            $info{$name} = $value;
+        }
+    }
+    unless ($info{'role'}) {
+        if ($user{'role'} ne '') {
+            $info{'role'} = $user{'role'};
+        }
+    }
+    unless ($info{'symb'}) {
+        unless ($r->uri eq '/adm/roles') {
+             $info{'origurl'} = $r->uri;
+        }
+    }
+    my $token = &Apache::lonnet::tmpput(\%info,$r->dir_config('lonHostID'));
+    unless (($token eq 'con_lost') || ($token eq 'refused') ||
+            ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+        return $token;
+    }
+    return;
+}
+
 1;
 __END__