--- loncom/auth/lonacc.pm 2021/12/12 00:53:57 1.159.2.21 +++ loncom/auth/lonacc.pm 2021/12/30 04:47:38 1.159.2.21.2.1 @@ -1,7 +1,7 @@ # The LearningOnline Network # Cookie Based Access Handler # -# $Id: lonacc.pm,v 1.159.2.21 2021/12/12 00:53:57 raeburn Exp $ +# $Id: lonacc.pm,v 1.159.2.21.2.1 2021/12/30 04:47:38 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -102,6 +102,7 @@ use Apache::loncommon(); use Apache::lonlocal; use Apache::restrictedaccess(); use Apache::blockedaccess(); +use Apache::lonprotected(); use Fcntl qw(:flock); use LONCAPA qw(:DEFAULT :match); @@ -297,7 +298,9 @@ sub sso_login { my $query = $r->args; my %form; if ($query) { - my @items = ('role','symb','iptoken','origurl','logtoken'); + + my @items = ('role','symb','iptoken','origurl','ttoken', + 'ltoken','linkkey','logtoken','sso'); &Apache::loncommon::get_unprocessed_cgi($query,\@items); foreach my $item (@items) { if (defined($env{'form.'.$item})) { @@ -315,17 +318,45 @@ sub sso_login { } } + my ($linkprot,$linkkey); + # # If Shibboleth auth is in use, and a dual SSO and non-SSO login page # is in use, then the query string will contain the logtoken item with # a value set to the name of a .tmp file in /home/httpd/perl/tmp # containing the url to display after authentication, and also, -# optionally, role and symb. +# optionally, role and symb, or linkprot or linkkey (deep-link access). # -# Otherwise the query string may contain role and symb. +# If Shibboleth auth is in use, but a dual log-in page is not in use, +# and the originally requested URL was /tiny/$domain/$id (i.e., +# for deeplinking), then the query string will contain the sso item +# with a value set to the name of a .tmp file in /home/httpd/perl/tmp +# containing the url to display after authentication, and also, +# optionally, linkprot or linkkey (deep-link access). # - - if ($form{'logtoken'}) { +# Otherwise the query string may contain role and symb, or if the +# originally requested URL was /tiny/$domain/$id (i.e. for deeplinking) +# then the query string may contain a ttoken item with a value set +# to the name of a .tmp file in /home/httpd/perl/tmp containing either +# linkprot or linkkey (deep-link access). +# +# If deep-linked, i.e., the originally requested URL was /tiny/$domain/$id +# the linkkey may have originally been sent in POSTed data, which will +# have been processed in lontrans.pm +# + + if ($form{'ttoken'}) { + my %info = &Apache::lonnet::tmpget($form{'ttoken'}); + &Apache::lonnet::tmpdel($form{'ttoken'}); + if ($info{'origurl'}) { + $form{'origurl'} = $info{'origurl'}; + } + if ($info{'linkprot'}) { + $linkprot = $info{'linkprot'}; + } elsif ($info{'linkkey'} ne '') { + $linkkey = $info{'linkkey'}; + } + } elsif ($form{'logtoken'}) { my ($firsturl,@rest); my $lonhost = $r->dir_config('lonHostID'); my $tmpinfo = &Apache::lonnet::reply('tmpget:'.$form{'logtoken'},$lonhost); @@ -340,11 +371,46 @@ sub sso_login { my ($key,$value) = split(/=/,$item); $form{$key} = &unescape($value); } + if ($firsturl =~ m{^/tiny/$match_domain/\w+$}) { + $form{'origurl'} = $firsturl; + } + if ($form{'linkprot'}) { + $linkprot = $form{'linkprot'}; + } elsif ($form{'linkkey'} ne '') { + $linkkey = $form{'linkkey'}; + } if ($form{'iptoken'}) { %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'}); my $delete = &Apache::lonnet::tmpdel($form{'iptoken'}); } } + } elsif ($form{'sso'}) { + my $lonhost = $r->dir_config('lonHostID'); + my $info = &Apache::lonnet::reply('tmpget:'.$form{'sso'},$lonhost); + &Apache::lonnet::tmpdel($form{'sso'}); + unless (($info=~/^error/) || ($info eq 'con_lost') || + ($info eq 'no_such_host')) { + my ($firsturl,@rest)=split(/\&/,$info); + if ($firsturl ne '') { + $form{'origurl'} = &unescape($firsturl); + } + foreach my $item (@rest) { + my ($key,$value) = split(/=/,$item); + $form{$key} = &unescape($value); + } + if ($form{'linkprot'}) { + $linkprot = $form{'linkprot'}; + } elsif ($form{'linkkey'} ne '') { + $linkkey = $form{'linkkey'}; + } + } + } elsif ($form{'ltoken'}) { + my %link_info = &Apache::lonnet::tmpget($form{'ltoken'}); + $linkprot = $link_info{'linkprot'}; + my $delete = &Apache::lonnet::tmpdel($form{'ltoken'}); + delete($form{'ltoken'}); + } elsif ($form{'linkkey'} ne '') { + $linkkey = $form{'linkkey'}; } my $domain = $r->dir_config('lonSSOUserDomain'); @@ -396,6 +462,18 @@ sub sso_login { $env{'form.origurl'} = $r->uri; } } + if (($r->uri eq '/adm/sso') && ($form{'origurl'} =~ m{^/+tiny/+$match_domain/+\w+$})) { + $env{'request.deeplink.login'} = $form{'origurl'}; + } elsif ($r->uri =~ m{^/+tiny/+$match_domain/+\w+$}) { + $env{'request.deeplink.login'} = $r->uri; + } + if ($env{'request.deeplink.login'}) { + if ($linkprot) { + $env{'request.linkprot'} = $linkprot; + } elsif ($linkkey ne '') { + $env{'request.linkkey'} = $linkkey; + } + } $env{'request.sso.login'} = 1; if (defined($r->dir_config("lonSSOReloginServer"))) { $env{'request.sso.reloginserver'} = @@ -429,6 +507,18 @@ sub sso_login { $info{'origurl'} = $r->uri; } } + if (($r->uri eq '/adm/sso') && ($form{'origurl'} =~ m{^/+tiny/+$match_domain/+\w+$})) { + $info{'deeplink.login'} = $form{'origurl'}; + } elsif ($r->uri =~ m{^/+tiny/+$match_domain/+\w+$}) { + $info{'deeplink.login'} = $r->uri; + } + if ($info{'deeplink.login'}) { + if ($linkprot) { + $info{'linkprot'} = $linkprot; + } elsif ($linkkey ne '') { + $info{'linkkey'} = $linkkey; + } + } if ($r->dir_config("ssodirecturl") == 1) { $info{'origurl'} = $r->uri; } @@ -466,7 +556,7 @@ sub sso_login { $r->subprocess_env->set('SSOUserUnknown' => $user); $r->subprocess_env->set('SSOUserDomain' => $domain); if (grep(/^sso$/,@cancreate)) { -#FIXME - need to preserve origurl, role and symb for use after account +#FIXME - need to preserve origurl, role and symb, or linkprot or linkkey for use after account # creation $r->set_handlers('PerlHandler'=> [\&Apache::createaccount::handler]); $r->handler('perl-script'); @@ -631,7 +721,15 @@ sub handler { } } } - + if ($requrl=~m{^/+tiny/+$match_domain/+\w+$}) { + if ($env{'user.name'} eq 'public' && + $env{'user.domain'} eq 'public') { + $env{'request.firsturl'}=$requrl; + return FORBIDDEN; + } else { + return OK; + } + } # ---------------------------------------------------------------- Check access my $now = time; my ($check_symb,$check_access,$check_block,$access,$poss_symb); @@ -643,7 +741,8 @@ sub handler { if (($requrl eq '/adm/viewclasslist') || ($requrl =~ m{^(/adm/wrapper|)\Q/uploaded/$cdom/$cnum/docs/\E}) || ($requrl =~ m{^/adm/.*/aboutme$}) || - ($requrl=~m{^/adm/coursedocs/showdoc/})) { + ($requrl=~m{^/adm/coursedocs/showdoc/}) || + ($requrl=~m{^(/adm/wrapper|)/adm/$cdom/$cnum/\d+/ext\.tool$})) { $check_block = 1; } } @@ -656,7 +755,8 @@ sub handler { ($requrl=~m|\.problem/smpedit$|) || ($requrl=~/^\/public\/.*\/syllabus$/) || ($requrl=~/^\/adm\/(viewclasslist|navmaps)$/) || - ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/)) { + ($requrl=~/^\/adm\/.*\/aboutme\/portfolio(\?|$)/) || + ($requrl=~m{^/adm/$cdom/$cnum/\d+/ext\.tool$})) { $check_symb = 1; } } @@ -689,6 +789,9 @@ sub handler { if ((!$env{'request.role.adv'}) && ($env{'acc.randomout'}) && ($env{'acc.randomout'}=~/\&\Q$poss_symb\E\&/)) { undef($poss_symb); + } elsif ((!$env{'request.role.adv'}) && ($env{'acc.deeplinkout'}) && + ($env{'acc.deeplinkout'}=~/\&\Q$poss_symb\E\&/)) { + undef($poss_symb); } } } @@ -698,8 +801,19 @@ sub handler { $access=&Apache::lonnet::allowed('bre',$requrl,'','','','',1); } } else { + my $nodeeplinkcheck; + if (($check_access) && ($requrl =~ /\.(sequence|page)$/)) { + unless ($env{'form.navmap'}) { + if ($r->args ne '') { + &Apache::loncommon::get_unprocessed_cgi($r->args,['navmap']); + unless ($env{'form.navmap'}) { + $nodeeplinkcheck = 1; + } + } + } + } my $clientip = &Apache::lonnet::get_requestor_ip($r); - $access=&Apache::lonnet::allowed('bre',$requrl,'','',$clientip); + $access=&Apache::lonnet::allowed('bre',$requrl,'','',$clientip,'','',$nodeeplinkcheck); } } if ($check_block) { @@ -737,6 +851,10 @@ sub handler { &Apache::blockedaccess::setup_handler($r); return OK; } + if ($access eq 'D') { + &Apache::lonprotected::setup_handler($r); + return OK; + } if (($access ne '2') && ($access ne 'F')) { if ($requrl =~ m{^/res/}) { $access = &Apache::lonnet::allowed('bro',$requrl);