[BACK]Return to lonracc.pm CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom / auth
File:  [LON-CAPA] / loncom / auth / lonracc.pm
Revision 1.24: download - view: text, annotated - select for diffs
Fri Dec 18 15:23:03 2020 UTC (4 years, 2 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, version_2_11_X, version_2_11_6_msu, version_2_11_6, version_2_11_5_msu, version_2_11_5, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, version_2_11_3_uiuc, version_2_11_3_msu, version_2_11_3, HEAD
- Retrieval of requestor's IP address centralized in lonnet::get_requestor_ip()
- Domain configuration to allow domain's LON-CAPA nodes to operate behind a
  WAF/Reverse Proxy using aliased hostname (CNAME).
- Web requests from other nodes bypass the WAF as their requests are made
  directly to the server hostname (A record); same for internal LON-CAPA
  connections for lonc -> lond.

    1: # The LearningOnline Network
    2: # Access Handler for File Transfers
    3: #
    4: # $Id: lonracc.pm,v 1.24 2020/12/18 15:23:03 raeburn Exp $
    5: #
    6: # Copyright Michigan State University Board of Trustees
    7: #
    8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
    9: #
   10: # LON-CAPA is free software; you can redistribute it and/or modify
   11: # it under the terms of the GNU General Public License as published by
   12: # the Free Software Foundation; either version 2 of the License, or
   13: # (at your option) any later version.
   14: #
   15: # LON-CAPA is distributed in the hope that it will be useful,
   16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   18: # GNU General Public License for more details.
   19: #
   20: # You should have received a copy of the GNU General Public License
   21: # along with LON-CAPA; if not, write to the Free Software
   22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   23: #
   24: # /home/httpd/html/adm/gpl.txt
   25: #
   26: # http://www.lon-capa.org/
   27: #
   28: 
   29: =pod
   30: 
   31: =head1 NAME
   32: 
   33: Apache::lonracc - Access Handler for File Transfers
   34: 
   35: =head1 SYNOPSIS
   36: 
   37: Invoked by /etc/httpd/conf/loncapa.conf:
   38: 
   39:  <LocationMatch "^/raw.*">
   40:  PerlAccessHandler Apache::lonracc
   41:  </LocationMatch>
   42: 
   43: =head1 INTRODUCTION
   44: 
   45: This module enables authentication for file transfers and works
   46: against the /res tree.
   47: 
   48: Only lond invokes the /raw namespace through its subscribe function.
   49: 
   50: This is part of the LearningOnline Network with CAPA project
   51: described at http://www.lon-capa.org.
   52: 
   53: =head1 HANDLER SUBROUTINE
   54: 
   55: This routine is called by Apache and mod_perl.
   56: 
   57: =over 4
   58: 
   59: =item *
   60: 
   61: Determine requesting host
   62: 
   63: =item *
   64: 
   65: See whether or not the requesting host is subscribed.
   66: 
   67: =item *
   68: 
   69: Respond with status of request and make log entry in case of unallowed
   70: access.
   71: 
   72: =back
   73: 
   74: =cut
   75: 
   76: package Apache::lonracc;
   77: 
   78: use strict;
   79: use Apache::Constants qw(:common :remotehost);
   80: use Apache::lonnet;
   81: use Apache::File();
   82: use IO::Socket;
   83: 
   84: sub subscribed {
   85:     my ($filename,$id) = @_;
   86: 
   87:     return 0 if (!-e "$filename.subscription");
   88: 
   89:     my $hostname=&Apache::lonnet::hostname($id);
   90:     my (undef,undef,undef,undef,$ip) = gethostbyname($hostname);
   91:     
   92:     return 0 if (length($ip) != 4);
   93: 
   94:     $ip=inet_ntoa($ip);
   95: 
   96:     my $expr='^'.quotemeta($id).':'.quotemeta($ip).':';
   97: 
   98:     my $found=0;
   99:     if (my $sh=Apache::File->new("$filename.subscription")) {
  100: 	while (my $subline=<$sh>) { if ($subline =~ /$expr/) { $found=1; } }
  101: 	$sh->close();
  102:     }
  103:     return $found;
  104: }
  105: 
  106: sub handler {
  107:     my $r = shift;
  108: 
  109:     my $filename=$r->filename;
  110:     if (!-e $filename) {
  111: 	return NOT_FOUND;
  112:     }
  113: 
  114:     my $reqhost = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
  115:     my @hostids= &Apache::lonnet::get_hosts_from_ip($reqhost);
  116:     if (!@hostids && $reqhost ne '127.0.0.1' ) {
  117: 	$r->log_reason("Unable to find a host for ".
  118: 		       $r->get_remote_host(REMOTE_NOLOOKUP));
  119: 	return FORBIDDEN;
  120:     }
  121:     if ($reqhost eq '127.0.0.1') {
  122: 	return OK;
  123:     }
  124:     my $return;
  125:     my @ids;
  126: 
  127:     foreach my $id (@hostids) {
  128: 	my $uri =$r->uri;
  129: 	if (($filename=~/\.meta$/) ||
  130: 	    ($uri=~m|^/raw/uploaded|) ||
  131: 	    (-e "$filename.$id") ||
  132: 	    &subscribed($filename,$id) ) {
  133: 	    return OK;
  134: 	} else {
  135: 	    $return=FORBIDDEN;
  136: 	    push(@ids,$id);
  137: 	}
  138:     }
  139:     if ($return == FORBIDDEN) {
  140: 	$r->log_reason(join(':',@ids)." not subscribed", $r->filename);
  141: 	return FORBIDDEN;
  142:     }
  143:     $r->log_reason("Invalid request for file transfer from $reqhost", 
  144:                    $r->filename); 
  145:     return FORBIDDEN;
  146: }
  147: 
  148: 1;
  149: __END__
  150: 
  151: 
  152: 
  153: 
  154: 
  155: 
  156: 
  157: 
  158:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>