# The LearningOnline Network # Switch Servers Handler # # $Id: switchserver.pm,v 1.63 2022/09/13 12:22:14 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # # This file is part of the LearningOnline Network with CAPA (LON-CAPA). # # LON-CAPA is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # LON-CAPA is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with LON-CAPA; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # /home/httpd/html/adm/gpl.txt # # http://www.lon-capa.org/ # package Apache::switchserver; use strict; use Apache::Constants qw(:common :remotehost); use Apache::lonnet; use Digest::MD5 qw(md5_hex); use CGI::Cookie(); use Apache::lonlocal; use LONCAPA qw(:DEFAULT :match); sub init_env { my ($r) = @_; if (-e $env{'user.environment'}) { return $env{'user.environment'}; } my $requrl=$r->uri; my $handle= &Apache::lonnet::check_for_valid_session($r); if ($handle ne '') { return undef; } my $lonidsdir=$r->dir_config('lonIDsDir'); &Apache::lonnet::transfer_profile_to_env($lonidsdir,$handle); return $r->dir_config('lonIDsDir')."/$handle.id"; } sub do_redirect { my ($r,$url,$only_body,$extra_text,$write_to_opener) = @_; $r->send_http_header; my $delay = 0.5; if ($only_body && !$extra_text) { $delay = 0; } my $start_page = &Apache::loncommon::start_page('Switching Server ...',undef, {'redirect' => [$delay,$url,'',$write_to_opener,1], 'only_body' => $only_body,}); my $end_page = &Apache::loncommon::end_page(); $r->print($start_page.$extra_text.$end_page); unless ($env{'user.name'} eq 'public' && ($env{'user.domain'} eq 'public')) { $r->register_cleanup(\&flush_course_logs); } return OK; } sub balancer_cookieid { my ($r,$desthost,$uname,$udom) = @_; my @hosts = &Apache::lonnet::current_machine_ids(); my $newcookieid; unless (grep(/^\Q$desthost\E$/,@hosts)) { my $balancedir=$r->dir_config('lonBalanceDir'); $newcookieid = &md5_hex(&md5_hex(time.{}.rand().$$)); my $cookie = $udom.'_'.$uname.'_'.$newcookieid; my $balcookie = "balanceID=$cookie; path=/; HttpOnly;"; if (open(my $fh,'>',"$balancedir/$cookie.id")) { print $fh $desthost; close($fh); $r->headers_out->add('Set-cookie' => $balcookie); } } return $newcookieid; } sub flush_course_logs { &Apache::lonnet::flushcourselogs(); return OK; } sub handler { my ($r) = @_; my $handle=&init_env($r); if (!defined($handle)) { return FORBIDDEN; } &Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'}, ['otherserver','role','origurl','symb','lcssowin','edit']); my $switch_to=&Apache::lonnet::hostname($env{'form.otherserver'}); if (! $env{'form.otherserver'}) { $env{'form.otherserver'} = &Apache::lonnet::find_existing_session($env{'user.domain'}, $env{'user.name'}); if (! $env{'form.otherserver'}) { $env{'form.otherserver'} = &Apache::lonnet::spareserver($r,30000,undef,1); } $switch_to=&Apache::lonnet::hostname($env{'form.otherserver'}); } if (!defined($switch_to)) { return FORBIDDEN; } my $protocol = 'http'; if ($env{'form.otherserver'}) { if ($Apache::lonnet::protocol{$env{'form.otherserver'}} eq 'https') { $protocol = $Apache::lonnet::protocol{$env{'form.otherserver'}}; } unless ($env{'form.otherserver'} eq $r->dir_config('lonHostID')) { my $alias = &Apache::lonnet::use_proxy_alias($r,$env{'form.otherserver'}); $switch_to = $alias if ($alias ne ''); } } if ($env{'user.name'} eq 'public' && $env{'user.domain'} eq 'public') { my $url = $protocol.'://'.$switch_to.$r->uri; unlink($handle); #expire the cookie my $c = new CGI::Cookie(-name => 'lonPubID', -value => '', -expires => '-10y',); $r->header_out('Set-cookie' => $c); return &do_redirect($r,$url,1) } my $skip_canhost_check = ''; my $now = time; if ($env{'form.role'}) { if (!exists($env{'user.role.'.$env{'form.role'}})) { delete($env{'form.role'}); } else { my ($start,$end) = split(/\./,$env{'user.role.'.$env{'form.role'}}); if (($start && $start > $now) || ($end && $end < $now)) { delete($env{'form.role'}); } elsif ($env{'form.role'} eq 'au./'.$env{'user.domain'}.'/') { if (&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'}) eq $env{'form.otherserver'}) { $skip_canhost_check = 1; } } elsif ($env{'form.role'} =~ m{^[ac]a\./($match_domain)/($match_username)$}) { my ($audom,$auname) = ($1,$2); if (&Apache::lonnet::homeserver($auname,$audom) eq $env{'form.otherserver'}) { if ((&Apache::lonnet::will_trust('othcoau',$env{'user.domain'},$audom)) && (&Apache::lonnet::will_trust('coaurem',$audom,$env{'user.domain'}))) { $skip_canhost_check = 1; } } } } } unless ($skip_canhost_check) { my $canhost = &Apache::lonnet::can_switchserver($env{'user.domain'},$env{'form.otherserver'}); unless ($canhost) { if (($env{'request.course.id'}) && ($env{'form.symb'} ne '') && (&Apache::lonnet::allowed('mdc',$env{'request.course.id'}))) { my $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'}; my $cnum = $env{'course.'.$env{'request.course.id'}.'.num'}; if (($cdom ne '') && ($cnum ne '') && ($env{'form.role'} =~ m{^([^.]+)\Q./$cdom/$cnum\E$})) { my $symb = &Apache::lonnet::symbclean($env{'form.symb'}); my ($map,$idx,$url) = &Apache::lonnet::decode_symb($symb); if (&Apache::lonnet::symbverify($symb,$url)) { my $fileloc = &Apache::lonnet::declutter(&Apache::lonnet::filelocation("",$url)); my $resurl = &Apache::lonnet::clutter($url); if ($resurl =~ m{^/res/($match_domain)/($match_username)/}) { my ($audom,$auname) = ($1,$2); if (&Apache::lonnet::homeserver($auname,$audom) eq $env{'form.otherserver'}) { my @possroles = ("user.role.au./$audom/","user.role.ca./$audom/$auname","user.role.aa./$audom/$auname"); my $hasrole; foreach my $rolekey (@possroles) { if (exists($env{$rolekey})) { my ($start,$end) = split(/\./,$env{$rolekey}); unless (($start && $start > $now) || ($end && $end < $now)) { if ($rolekey eq "user.role.au./$audom/") { $hasrole = $rolekey; } elsif ((&Apache::lonnet::will_trust('othcoau',$env{'user.domain'},$audom)) && (&Apache::lonnet::will_trust('coaurem',$audom,$env{'user.domain'}))) { $hasrole = $rolekey; } } if ($hasrole) { $hasrole =~ s/^\Quser.role.\E//; last; } } } if ($hasrole) { $env{'form.role'} = $hasrole; $env{'form.origurl'} = &Apache::lonnet::deversion($resurl); $env{'form.origurl'} =~ s{^/res/}{/priv/}; delete($env{'form.symb'}); $canhost = 1; if ($env{'form.edit'}) { my $ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP); my %info=('ip' => $ip, 'domain' => $env{'user.domain'}, 'username' => $env{'user.name'}, 'home' => $env{'user.home'}, 'role' => $env{'form.role'}, 'server' => $r->dir_config('lonHostID'), 'origurl' => $env{'form.origurl'}); &Apache::loncommon::content_type($r,'text/html'); my $token = &Apache::lonnet::tmpput(\%info,$env{'form.otherserver'}); my $url = $protocol.'://'.$switch_to.'/adm/login?'. 'domain='.$env{'user.domain'}. '&username='.$env{'user.name'}. '&token='.$token; return &do_redirect($r,$url,0); } } } } } } } } unless ($canhost) { return FORBIDDEN; } } #remove session env, and log event if (unlink($handle)) { if ($env{'user.linkedenv'} ne '') { my $lonidsdir=$r->dir_config('lonIDsDir'); if (($env{'user.linkedenv'} =~ /^[a-f0-9]+_linked$/) && (-l "$lonidsdir/$env{'user.linkedenv'}.id") && (readlink("$lonidsdir/$env{'user.linkedenv'}.id") eq $handle)) { unlink("$lonidsdir/$env{'user.linkedenv'}.id"); } } } my %temp=('switchserver' => $now.':'.$env{'form.otherserver'}, $env{'form.role'}); &Apache::lonnet::put('email_status',\%temp); my $logmsg = "Switch Server to $env{'form.otherserver'}"; if ($env{'form.role'}) { $logmsg .= " with role: $env{'form.role'}"; } elsif (($env{'form.lti.reqcrs'}) && ($env{'form.lti.reqrole'} eq 'cc')) { $logmsg .= " to create new LTI course"; } elsif ($env{'form.lti.selfenrollrole'}) { $logmsg .= " to selfenroll with role: $env{'form.lti.selfenrollrole'}"; } else { $logmsg .= " (no role)"; } my $ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP); $logmsg .= ' '.$ip; &Apache::lonnet::log($env{'user.domain'},$env{'user.name'}, $env{'user.home'},$logmsg); &Apache::loncommon::content_type($r,'text/html'); #expire the cookies my %cookies=CGI::Cookie->parse($r->header_in('Cookie')); foreach my $name (keys(%cookies)) { next unless ($name =~ /^lon(|S|Link|Pub)ID$/); my $c = new CGI::Cookie(-name => $name, -value => '', -expires => '-10y',); $r->headers_out->add('Set-cookie' => $c); } if ($r->header_only) { $r->send_http_header; return OK; } # -------------------------------------------------------- Menu script and info # ---------------------------------------------------------------- Get handover my ($is_balancer,$setcookie,$newcookieid,$otherbalcookie,$offloadto,$dom_balancers); my $only_body = 0; ($is_balancer,undef,$setcookie,$offloadto,$dom_balancers) = &Apache::lonnet::check_loadbalancing($env{'user.name'},$env{'user.domain'},'switchserver'); if ($is_balancer && $setcookie && $env{'form.otherserver'}) { # Set a balancer cookie unless browser already sent LON-CAPA load balancer # cookie which points at the target server my ($found_server,$balancer_cookie) = &Apache::lonnet::check_for_balancer_cookie($r,1); if (($found_server eq $env{'form.otherserver'}) && ($balancer_cookie =~ /^\Q$env{'user.domain'}\E_\Q$env{'user.name'}\E_/)) { $only_body = 1; } else { $newcookieid = &balancer_cookieid($r,$env{'form.otherserver'}, $env{'user.name'},$env{'user.domain'}); } } if ((!$is_balancer) && ($env{'request.balancercookie'})) { $otherbalcookie = $env{'request.balancercookie'}; } my %info=('ip' => $ip, 'domain' => $env{'user.domain'}, 'username' => $env{'user.name'}, 'home' => $env{'user.home'}, 'role' => $env{'form.role'}, 'server' => $r->dir_config('lonHostID'), 'balancer' => $is_balancer, 'dom_balancers' => $dom_balancers, 'offloadto' => ''); if (ref($offloadto) eq 'HASH') { foreach my $key (keys(%{$offloadto})) { if (ref($offloadto->{$key}) eq 'ARRAY') { $info{'offloadto'} .= $key.'='.join(',',@{$offloadto->{$key}}).'&'; } } $info{'offloadto'} =~ s/\&$//; } elsif (ref($offloadto) eq 'ARRAY') { $info{'offloadto'} = join(',',@{$offloadto}); } if ($newcookieid) { $info{'balcookie'} = $newcookieid; } elsif ($otherbalcookie) { $info{'otherbalcookie'} = $otherbalcookie; } if ($env{'form.origurl'}) { $info{'origurl'} = $env{'form.origurl'}; } if ($env{'form.symb'}) { $info{'symb'} = $env{'form.symb'}; } my $ssologoutscript = ''; my $write_to_opener; if ($env{'request.sso.login'}) { $info{'sso.login'} = $env{'request.sso.login'}; if (defined($r->dir_config("lonSSOUserLogoutScriptFile_$info{domain}"))) { if (open(my $fh,'<',$r->dir_config("lonSSOUserLogoutScriptFile_$info{domain}"))) { $ssologoutscript .= join('',<$fh>); close($fh); } } if (defined($r->dir_config('lonSSOUserLogoutScriptFile'))) { if (open(my $fh,'<',$r->dir_config('lonSSOUserLogoutScriptFile'))) { $ssologoutscript .= join('',<$fh>); close($fh); } } } if ($env{'request.sso.reloginserver'}) { $info{'sso.reloginserver'} = $env{'request.sso.reloginserver'}; } if ($env{'request.linkprot'}) { $info{'linkprot'} = $env{'request.linkprot'}; foreach my $item ('linkprotuser','linkprotexit') { if ($env{'request.'.$item}) { $info{$item} = $env{'request.'.$item}; } } } elsif ($env{'request.linkkey'} ne '') { $info{'linkkey'} = $env{'request.linkkey'}; } if ($env{'request.deeplink.login'}) { $info{'deeplink.login'} = $env{'request.deeplink.login'}; } if ($env{'request.lti.login'}) { $info{'lti.login'} = $env{'request.lti.login'}; } if ($env{'request.lti.uri'}) { $info{'lti.uri'} = $env{'request.lti.uri'}; } if ($env{'request.lti.reqcrs'}) { $info{'lti.reqcrs'} = $env{'request.lti.reqcrs'}; } if ($env{'request.lti.reqrole'}) { $info{'lti.reqrole'} = $env{'request.lti.reqrole'}; } if ($env{'request.lti.selfenrollrole'}) { $info{'lti.selfenrollrole'} = $env{'request.lti.selfenrollrole'}; } if ($env{'request.lti.sourcecrs'}) { $info{'lti.sourcecrs'} = $env{'request.lti.sourcecrs'}; } if ($env{'request.lti.passbackid'}) { $info{'lti.passbackid'} = $env{'request.lti.passbackid'}; } if ($env{'request.lti.passbackurl'}) { $info{'lti.passbackurl'} = $env{'request.lti.passbackurl'}; } if ($env{'request.lti.rosterid'}) { $info{'lti.rosterid'} = $env{'request.lti.rosterid'}; } if ($env{'request.lti.rosterurl'}) { $info{'lti.rosterurl'} = $env{'request.lti.rosterurl'}; } if ($env{'request.lti.target'}) { $info{'lti.target'} = $env{'request.lti.target'}; } my $token = &Apache::lonnet::tmpput(\%info,$env{'form.otherserver'}); my @args = ("domain=$env{'user.domain'}", "username=$env{'user.name'}", "token=$token"); my $url = $protocol.'://'.$switch_to.'/adm/login?'; if ($env{'form.lcssowin'}) { $url .= join('&',@args); $only_body = 1; } else { $url .= join('&',@args); } # --------------------------------------------------------------- Screen Output return &do_redirect($r, $url, $only_body, $ssologoutscript, $env{'form.lcssowin'}); } 1; __END__