--- loncom/auth/lonauth.pm	2020/05/02 15:29:40	1.121.2.19
+++ loncom/auth/lonauth.pm	2014/10/04 02:59:32	1.135
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.121.2.19 2020/05/02 15:29:40 raeburn Exp $
+# $Id: lonauth.pm,v 1.135 2014/10/04 02:59:32 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -32,6 +32,8 @@ use strict;
 use LONCAPA;
 use Apache::Constants qw(:common);
 use CGI qw(:standard);
+use DynaLoader; # for Crypt::DES version
+use Crypt::DES;
 use Apache::loncommon();
 use Apache::lonnet;
 use Apache::lonmenu();
@@ -40,12 +42,11 @@ use Fcntl qw(:flock);
 use Apache::lonlocal;
 use Apache::File();
 use HTML::Entities;
-use Digest::MD5;
  
 # ------------------------------------------------------------ Successful login
 sub success {
     my ($r, $username, $domain, $authhost, $lowerurl, $extra_env,
-	$form,$cid) = @_;
+	$form) = @_;
 
 # ------------------------------------------------------------ Get cookie ready
     my $cookie =
@@ -71,27 +72,8 @@ sub success {
         }
     }
 
-# ------------------------------------------------------------ Get cookies ready
-    my ($securecookie,$defaultcookie);
-    my $ssl = $r->subprocess_env('https');
-    if ($ssl) {
-        $securecookie="lonSID=$cookie; path=/; HttpOnly; secure";
-        my $lonidsdir=$r->dir_config('lonIDsDir');
-        if (($lonidsdir) && (-e "$lonidsdir/$cookie.id")) {
-            my $linkname=substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$)), 0, 32).'_linked';
-            if (-e "$lonidsdir/$linkname.id") {
-                unlink("$lonidsdir/$linkname.id");
-            }
-            my $made_symlink = eval { symlink("$lonidsdir/$cookie.id",
-                                              "$lonidsdir/$linkname.id"); 1 };
-            if ($made_symlink) {
-                $defaultcookie = "lonLinkID=$linkname; path=/; HttpOnly;";
-                &Apache::lonnet::appenv({'user.linkedenv' => $linkname});
-            }
-        }
-    } else {
-        $defaultcookie = "lonID=$cookie; path=/; HttpOnly;";
-    }
+# ------------------------------------------------------------ Get cookie ready
+    $cookie="lonID=$cookie; path=/";
 # -------------------------------------------------------- Menu script and info
     my $destination = $lowerurl;
 
@@ -117,26 +99,18 @@ sub success {
     }
     if (defined($form->{symb})) {
         my $destsymb = $form->{symb};
-        my $encrypted;
-        if ($destsymb =~ m{^/enc/}) {
-            $encrypted = 1;
-            if ($cid) {
-                $destsymb = &Apache::lonenc::unencrypted($destsymb,$cid);
-            }
-        }
         $destination  .= ($destination =~ /\?/) ? '&' : '?';
         if ($destsymb =~ /___/) {
+            # FIXME Need to deal with encrypted symbs and urls as needed.
             my ($map,$resid,$desturl)=split(/___/,$destsymb);
-            $desturl = &Apache::lonnet::clutter($desturl);
-            if ($encrypted) {
-                $desturl = &Apache::lonenc::encrypted($desturl,1,$cid);
-                $destsymb = $form->{symb};
+            unless ($desturl=~/^(adm|editupload|public)/) {
+                $desturl = &Apache::lonnet::clutter($desturl);
             }
             $desturl = &HTML::Entities::encode($desturl,'"<>&');
             $destsymb = &HTML::Entities::encode($destsymb,'"<>&');
             $destination .= 'destinationurl='.$desturl.
                             '&destsymb='.$destsymb;
-        } elsif (!$encrypted) {
+        } else {
             $destsymb = &HTML::Entities::encode($destsymb,'"<>&');
             $destination .= 'destinationurl='.$destsymb;
         }
@@ -146,32 +120,20 @@ sub success {
         $destination .= 'source=login';
     }
 
-    my $windowinfo=&Apache::lonmenu::open($env{'browser.os'});
-    my $startupremote=&Apache::lonmenu::startupremote($destination);
-    my $remoteinfo=&Apache::lonmenu::load_remote_msg($lowerurl);
-    my $setflags=&Apache::lonmenu::setflags();
-    my $maincall=&Apache::lonmenu::maincall();
+    my $windowinfo = Apache::lonhtmlcommon::scripttag('self.name="loncapaclient";');
+    my $header = '<meta HTTP-EQUIV="Refresh" CONTENT="0; url='.$destination.'" />';
     my $brcrum = [{'href' => '',
                    'text' => 'Successful Login'},];
     my $start_page=&Apache::loncommon::start_page('Successful Login',
-                                                  $startupremote,
-                                                  {'no_inline_link' => 1,
-                                                   'bread_crumbs' => $brcrum,});
+                                                  $header,
+                                                  {'bread_crumbs' => $brcrum,});
     my $end_page  =&Apache::loncommon::end_page();
 
-    my $continuelink;
-    if ($env{'environment.remote'} eq 'off') {
-	$continuelink='<a href="'.$destination.'">'.&mt('Continue').'</a>';
-    }
+	my $continuelink='<a href="'.$destination.'">'.&mt('Continue').'</a>';
 # ------------------------------------------------- Output for successful login
 
     &Apache::loncommon::content_type($r,'text/html');
-    if ($securecookie) {
-        $r->headers_out->add('Set-cookie' => $securecookie);
-    }
-    if ($defaultcookie) {
-        $r->headers_out->add('Set-cookie' => $defaultcookie);
-    }
+    $r->header_out('Set-cookie' => $cookie);
     $r->send_http_header;
 
     my %lt=&Apache::lonlocal::texthash(
@@ -186,13 +148,10 @@ sub success {
     my $welcome = &mt('Welcome to the Learning[_1]Online[_2] Network with CAPA. Please wait while your session is being set up.','<i>','</i>'); 
     $r->print(<<ENDSUCCESS);
 $start_page
-$setflags
 $windowinfo
 <h1>$lt{'wel'}</h1>
 $welcome
 $loginhelp
-$remoteinfo
-$maincall
 $continuelink
 $end_page
 ENDSUCCESS
@@ -271,6 +230,7 @@ sub reroute {
 sub handler {
     my $r = shift;
     my $londocroot = $r->dir_config('lonDocRoot');
+    my $form;
 # Are we re-routing?
     if (-e "$londocroot/lon-status/reroute.txt") {
 	&reroute($r);
@@ -334,11 +294,10 @@ sub handler {
 
 # split user logging in and "su"-user
 
-    ($form{'uname'},$form{'suname'},$form{'sudom'})=split(/\:/,$form{'uname'});
+    ($form{'uname'},$form{'suname'})=split(/\:/,$form{'uname'});
     $form{'uname'} = &LONCAPA::clean_username($form{'uname'});
     $form{'suname'}= &LONCAPA::clean_username($form{'suname'});
-    $form{'udom'}  = &LONCAPA::clean_domain($form{'udom'});
-    $form{'sudom'} = &LONCAPA::clean_domain($form{'sudom'});
+    $form{'udom'}  = &LONCAPA::clean_domain(  $form{'udom'});
 
     my $role   = $r->dir_config('lonRole');
     my $domain = $r->dir_config('lonDefDomain');
@@ -389,7 +348,26 @@ sub handler {
         (undef,$form{'iptoken'}) = split('=',$iptokenstr);
     }
 
-    my $upass = &Apache::loncommon::des_decrypt($key,$form{'upass0'});
+    my $keybin=pack("H16",$key);
+
+    my $cipher;
+    if ($Crypt::DES::VERSION>=2.03) {
+	$cipher=new Crypt::DES $keybin;
+    }
+    else {
+	$cipher=new DES $keybin;
+    }
+    my $upass='';
+    for (my $i=0;$i<=2;$i++) {
+	my $chunk=
+	    $cipher->decrypt(unpack("a8",pack("H16",substr($form{'upass'.$i},0,16))));
+
+	$chunk.=
+	    $cipher->decrypt(unpack("a8",pack("H16",substr($form{'upass'.$i},16,16))));
+
+	$chunk=substr($chunk,1,ord(substr($chunk,0,1)));
+	$upass.=$chunk;
+    }
 
 # ---------------------------------------------------------------- Authenticate
 
@@ -420,8 +398,7 @@ sub handler {
                 return OK;
             }
             my $start_page = 
-                &Apache::loncommon::start_page('Create a user account in LON-CAPA',
-                                               '',{'no_inline_link'   => 1,});
+                &Apache::loncommon::start_page('Create a user account in LON-CAPA');
             my $lonhost = $r->dir_config('lonHostID');
             my $origmail = $Apache::lonnet::perlvar{'lonSupportEMail'};
             my $contacts = 
@@ -463,68 +440,20 @@ sub handler {
 
 # --------------------------------- Are we attempting to login as somebody else?
     if ($form{'suname'}) {
-        my ($suname,$sudom,$sudomref);
-        $suname = $form{'suname'};
-        $sudom = $form{'udom'};
-        if ($form{'sudom'}) {
-            unless ($sudom eq $form{'sudom'}) {
-                if (&Apache::lonnet::domain($form{'sudom'})) {
-                    $sudomref = [$form{'sudom'}];
-                    $sudom = $form{'sudom'};
-                }
-            }
-        }
 # ------------ see if the original user has enough privileges to pull this stunt
-	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'},$sudomref)) {
+	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'})) {
 # ---------------------------------------------------- see if the su-user exists
-	    unless (&Apache::lonnet::homeserver($suname,$sudom) eq 'no_host') {
+	    unless (&Apache::lonnet::homeserver($form{'suname'},$form{'udom'})
+		eq 'no_host') {
+		&Apache::lonnet::logthis(&Apache::lonnet::homeserver($form{'suname'},$form{'udom'}));
 # ------------------------------ see if the su-user is not too highly privileged
-		if (&Apache::lonnet::privileged($suname,$sudom)) {
-                    &Apache::lonnet::logthis('Attempted switch user to privileged user');
-                } else {
-                    my $noprivswitch;
-#
-# su-user's home server and user's home server must have one of:
-# (a) same domain
-# (b) same primary library server for the two domains
-# (c) same "internet domain" for primary library server(s) for home servers' domains
-#
-                    my $suprim = &Apache::lonnet::domain($sudom,'primary');
-                    my $suintdom = &Apache::lonnet::internet_dom($suprim);
-                    unless ($sudom eq $form{'udom'}) {
-                        my $uprim = &Apache::lonnet::domain($form{'udom'},'primary');
-                        my $uintdom = &Apache::lonnet::internet_dom($uprim);
-                        unless ($suprim eq $uprim) {
-                            unless ($suintdom eq $uintdom) {
-                                &Apache::lonnet::logthis('Attempted switch user '
-                                   .'to user with different "internet domain".');
-                                $noprivswitch = 1;
-                            }
-                        }
-                    }
-
-                    unless ($noprivswitch) {
-#
-# server where log-in occurs must have same "internet domain" as su-user's home
-# server
-#
-                        my $lonhost = $r->dir_config('lonHostID');
-                        my $hostintdom = &Apache::lonnet::internet_dom($lonhost);
-                        if ($hostintdom ne $suintdom) {
-                            &Apache::lonnet::logthis('Attempted switch user on a '
-                                .'server with a different "internet domain".');
-                        } else {
-
+		unless (&Apache::lonnet::privileged($form{'suname'},$form{'udom'})) {
 # -------------------------------------------------------- actually switch users
-
-			    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.
-				$form{'udom'}.' logging in as '.$suname.':'.$sudom);
-			    $form{'uname'}=$suname;
-                            if ($form{'udom'} ne $sudom) {
-                                $form{'udom'}=$sudom;
-                            }
-                        }
-                    }
+		    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.$form{'udom'}.
+			' logging in as '.$form{'suname'});
+		    $form{'uname'}=$form{'suname'};
+		} else {
+		    &Apache::lonnet::logthis('Attempted switch user to privileged user');
 		}
 	    }
 	} else {
@@ -536,25 +465,13 @@ sub handler {
 
     unless ($hosthere) {
         ($is_balancer,$otherserver) =
-            &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'},'login');
-        if ($is_balancer) {
-            if ($otherserver eq '') {
-                my $lowest_load;
-                ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($form{'udom'});
-                if ($lowest_load > 100) {
-                    $otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$form{'udom'});
-                }
-            }
-            if ($otherserver ne '') {
-                my @hosts = &Apache::lonnet::current_machine_ids();
-                if (grep(/^\Q$otherserver\E$/,@hosts)) {
-                    $hosthere = $otherserver;
-                }
-            }
-        }
+            &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'});
     }
 
-    if (($is_balancer) && (!$hosthere)) {
+    if ($is_balancer) {
+        if (!$otherserver) { 
+            ($otherserver) = &Apache::lonnet::choose_server($form{'udom'});
+        }
         if ($otherserver) {
             &success($r,$form{'uname'},$form{'udom'},$authhost,'noredirect',undef,
                      \%form);
@@ -622,9 +539,6 @@ sub handler {
                 return OK;
             }
         }
-        if (($is_balancer) && ($hosthere)) {
-            $form{'noloadbalance'} = $hosthere;
-        }
         &success($r,$form{'uname'},$form{'udom'},$authhost,$firsturl,undef,
                  \%form);
         return OK;