--- loncom/lontrans.pm	2020/12/18 15:23:04	1.27
+++ loncom/lontrans.pm	2021/07/17 21:48:27	1.33
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # URL translation for User Files
 #
-# $Id: lontrans.pm,v 1.27 2020/12/18 15:23:04 raeburn Exp $
+# $Id: lontrans.pm,v 1.33 2021/07/17 21:48:27 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -29,8 +29,9 @@
 package Apache::lontrans;
 
 use strict;
-use Apache::Constants qw(:common :remotehost REDIRECT);
+use Apache::Constants qw(:common :remotehost);
 use Apache::lonnet;
+use Apache::loncommon;
 use Apache::File();
 use LONCAPA qw(:DEFAULT :match);
 
@@ -38,14 +39,14 @@ sub handler {
     my $r = shift;
     # FIXME line remove when mod_perl fixes BUG#4948
     $r->notes->set('error-notes' => '');
-    my $actualhost = $r->headers_in->get('Host');
+    my $hdrhost = $r->headers_in->get('Host');
     if ($r->uri=~m{^/raw/}) {
-        if ($actualhost) {
-            unless ($host =~ /^internal\-/) {
+        if ($hdrhost) {
+            unless ($hdrhost =~ /^internal\-/) {
                 my $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
                 my $lonhost = $r->dir_config('lonHostID');
                 if (&redirect_raw($remote_ip,$lonhost)) {
-                    my $location = 'https://internal-'.$host.$r->uri;
+                    my $location = 'https://internal-'.$hdrhost.$r->uri;
                     $r->headers_out->set(Location => $location);
                     return REDIRECT;
                 }
@@ -55,30 +56,70 @@ sub handler {
     my $alias = &Apache::lonnet::get_proxy_alias();
     if ($alias) {
         my $lonhost = $r->dir_config('lonHostID');
-        my $expected_host = &Apache::lonnet::hostname($lonhost);
-        if (($actualhost eq $expected_host) && ($actualhost ne $alias)) {
-            my $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
-            unless ($remote_ip eq '127.0.0.1') {
-                my $hostip = &Apache::lonnet::get_host_ip($lonhost);
-                unless ($remote_ip eq $hostip) {
-                    my $do_redirect = 1;
-                    if ($r->uri=~m{^/raw/}){
+        my $hostname = &Apache::lonnet::hostname($lonhost);
+        if (($hdrhost eq $alias) || ($hdrhost eq $hostname)) {
+            my $proxyinfo = &Apache::lonnet::get_proxy_settings($r->dir_config('lonDefDomain'));
+            my ($vpnint,$vpnext);
+            if (ref($proxyinfo) eq 'HASH') {
+                $vpnint = $proxyinfo->{'vpnint'};
+                $vpnext = $proxyinfo->{'vpnext'};
+            }
+            my ($redirect,$remote_ip);
+            if ($hdrhost eq $alias) {
+                $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP);
+                if ($vpnext && &Apache::lonnet::ip_match($remote_ip,$vpnext)) {
+                    $redirect = $hostname;
+                    if ($redirect eq $hdrhost) {
+                        undef($redirect);
+                    }
+                }
+            } elsif ($hdrhost eq $hostname) {
+                $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
+                unless (($remote_ip eq '127.0.0.1') || ($remote_ip eq '::1') ||
+                        ($remote_ip eq &Apache::lonnet::get_host_ip($lonhost)) ||
+                        ($vpnint && &Apache::lonnet::ip_match($remote_ip,$vpnint))) {
+                    $redirect = $alias;
+                    if (($r->uri=~m{^/raw/}) || ($r->uri=~m{^/adm/dns/(hosts|domain)$})) {
                         my %iphost = &Apache::lonnet::get_iphost();
                         if (exists($iphost{$remote_ip})) {
-                            undef($do_redirect);
+                            undef($redirect);
                         }
                     }
-                    if ($do_redirect) {
-                        my $uri = $r->uri;
-                        my $protocol = 'http';
-                        my $port = $r->get_server_port();
-                        if ($port eq '443') {
-                            $protocol = 'https';
+                }
+            }
+            if ($redirect) {
+                my $uri = $r->uri;
+                if (($uri eq '/adm/sso') || ($uri eq '/adm/switchserver') ||
+                    ($uri =~ m{^/Shibboleth.sso/})) {
+                    return DECLINED;
+                }
+                unless ($uri eq '/adm/migrateuser') {
+                    my %user;
+                    my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\%user);
+                    if (($handle) && ($user{'name'} ne '') && ($user{'domain'} ne '')) {
+                        my $token = &get_token($r,$remote_ip,\%user);
+                        unless ($token eq '') {
+                            $r->internal_redirect("/adm/migrateuser?token=$token");
+                            $r->set_handlers('PerlHandler'=> undef);
+                            return DECLINED;
                         }
-                        $r->header_out(Location => $protocol.'://'.$alias.$uri);
-                        return REDIRECT;
                     }
                 }
+                my $protocol = 'http';
+                my $port = $r->get_server_port();
+                if ($port eq '443') {
+                    $protocol = 'https';
+                }
+                my $querystring = $r->args;
+                if ($uri =~ m{^(/adm/css/)(.+)(.css)$}) {
+                    $uri = $1.&escape($2).$3;
+                }
+                my $location = $protocol.'://'.$redirect.$uri;
+                if ($querystring) {
+                    $location .= "?$querystring";
+                }
+                $r->header_out(Location => $location);
+                return REDIRECT;
             }
         }
     }
@@ -153,6 +194,44 @@ sub redirect_raw {
     return $redirect;
 }
 
+sub get_token {
+    my ($r,$remote_ip,$userref) = @_;
+    return unless (ref($userref) eq 'HASH');
+    my %user = %{$userref};
+    my %info = ('ip' => $remote_ip,
+                'domain'    => $user{'domain'},
+                'username'  => $user{'name'},
+                'server'    => $r->dir_config('lonHostID'),
+               );
+    my $query = $r->args;
+    if ($query) {
+        foreach my $pair (split(/&/,$query)) {
+            my ($name,$value) = split(/=/,$pair);
+            $name = &LONCAPA::unescape($name);
+            next unless (($name eq 'role') || ($name eq 'symb'));
+            $value =~ tr/+/ /;
+            $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
+            $info{$name} = $value;
+        }
+    }
+    unless ($info{'role'}) {
+        if ($user{'role'} ne '') {
+            $info{'role'} = $user{'role'};
+        }
+    }
+    unless ($info{'symb'}) {
+        unless ($r->uri eq '/adm/roles') {
+             $info{'origurl'} = $r->uri;
+        }
+    }
+    my $token = &Apache::lonnet::tmpput(\%info,$r->dir_config('lonHostID'));
+    unless (($token eq 'con_lost') || ($token eq 'refused') ||
+            ($token eq 'unknown_cmd') || ($token eq 'no_such_host')) {
+        return $token;
+    }
+    return;
+}
+
 1;
 __END__