Annotation of loncom/auth/lonstatusacc.pm, revision 1.1

1.1     ! raeburn     1: #
        !             2: # LON-CAPA authorization for pages generated by server-status reports 
        !             3: #
        !             4: # $Id: lonstatusacc.pm,v 1.1 2008/11/28 17:15:00 raeburn Exp $
        !             5: #
        !             6: # Copyright Michigan State University Board of Trustees
        !             7: #
        !             8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
        !             9: #
        !            10: # LON-CAPA is free software; you can redistribute it and/or modify
        !            11: # it under the terms of the GNU General Public License as published by
        !            12: # the Free Software Foundation; either version 2 of the License, or
        !            13: # (at your option) any later version.
        !            14: #
        !            15: # LON-CAPA is distributed in the hope that it will be useful,
        !            16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
        !            17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        !            18: # GNU General Public License for more details.
        !            19: #
        !            20: # You should have received a copy of the GNU General Public License
        !            21: # along with LON-CAPA; if not, write to the Free Software
        !            22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
        !            23: #
        !            24: # /home/httpd/html/adm/gpl.txt
        !            25: #
        !            26: # http://www.lon-capa.org/
        !            27: #
        !            28: #############################################
        !            29: #############################################
        !            30: 
        !            31: package Apache::lonstatusacc;
        !            32: 
        !            33: use strict;
        !            34: use Apache::Constants qw(:common :remotehost);
        !            35: use Apache::lonnet;
        !            36: use LONCAPA::loncgi;
        !            37: 
        !            38: sub handler {
        !            39:     my $r = shift;
        !            40:     my $reqhost = $r->get_remote_host(REMOTE_NOLOOKUP);
        !            41:     my $page = 'serverstatus';
        !            42:     if ($r->uri eq '/adm/test') {
        !            43:         $page = 'showenv';
        !            44:         if (&LONCAPA::loncgi::check_cookie_and_load_env()) {
        !            45:             if (&LONCAPA::loncgi::can_view($page)) {
        !            46:                 return OK; 
        !            47:             } elsif (&LONCAPA::loncgi::check_ipbased_access($page,$reqhost)) {
        !            48:                 return OK;
        !            49:             }
        !            50:         }
        !            51:     } elsif ($r->uri ne '/server-status') {
        !            52:         $page = 'lonstatus';
        !            53:         if (!-e $r->filename) {
        !            54:             return NOT_FOUND;
        !            55:         }
        !            56:     }
        !            57:     if ($reqhost eq '127.0.0.1') {
        !            58:         return OK;
        !            59:     }
        !            60:     my @hostids= &Apache::lonnet::get_hosts_from_ip($reqhost);
        !            61:     my @poss_domains = &Apache::lonnet::current_machine_domains();
        !            62:     if (@hostids > 0) {
        !            63:         foreach my $id (@hostids) {
        !            64:             if ($id ne '') {
        !            65:                 my $dom = &Apache::lonnet::host_domain($id);
        !            66:                 if ($dom ne '') {
        !            67:                     if (grep(/^\Q$dom\E$/,@poss_domains)) {
        !            68:                         return OK;
        !            69:                     }
        !            70:                 }
        !            71:             }
        !            72:         }
        !            73:     } elsif (&LONCAPA::loncgi::check_ipbased_access($page,$reqhost)) {
        !            74:         return OK;
        !            75:     } else {
        !            76:         if (&LONCAPA::loncgi::check_cookie_and_load_env($page)) {
        !            77:             if (&LONCAPA::loncgi::can_view($page)) {
        !            78:                 return OK;
        !            79:             }
        !            80:         }
        !            81:     }
        !            82:     $r->log_reason("Invalid request for server status from $reqhost",
        !            83:                    $r->uri);
        !            84:     return FORBIDDEN;
        !            85: }
        !            86: 
        !            87: 1;
        !            88: 
        !            89: __END__
        !            90: 
        !            91: =head1 NAME
        !            92: 
        !            93: Apache::lonstatusacc - Access Handler for Apache's server-status page 
        !            94: and also pages in lon-status directory.
        !            95: 
        !            96: =head1 SYNOPSIS
        !            97: 
        !            98: Invoked (for appropriate locations) by /etc/httpd/conf/loncapa_apache.conf
        !            99: 
        !           100:  PerlAccessHandler       Apache::lonstatusacc
        !           101: 
        !           102: =head1 INTRODUCTION
        !           103: 
        !           104: This module can support access control based on IP 
        !           105: address, or based on Domain Configuration settings 
        !           106: for authenticated users (via cookie).
        !           107: 
        !           108: The module is used for control of access to
        !           109: (a) Apache's server-status page
        !           110: (b) Status pages in the /home/httpd/html/lon-status directory
        !           111:     which were generated as follows:
        !           112:     (i) when loncron was last run 
        !           113:         (index.html, loncron_simple.txt, loncstatus.txt, and londstatus.txt),
        !           114:     (ii) when lonsql was last started 
        !           115:          (mysql.txt - only on connection failure),
        !           116:     (iii) when /usr/local/loncapa/bin/CHECKRPMS was last run 
        !           117:          (checkrpms.txt),
        !           118:     (iv) when ./UPDATE was run to install/update 
        !           119:          (version.txt). 
        !           120: (c) User environment information reported by /adm/test
        !           121:  
        !           122: This is part of the LearningOnline Network with CAPA project
        !           123: described at http://www.lon-capa.org.
        !           124: 
        !           125: =head1 HANDLER SUBROUTINE
        !           126: 
        !           127: This routine is called by Apache and mod_perl.
        !           128: 
        !           129: The check for whether access is allowed for a specific page proceeds as follows:
        !           130: 
        !           131: (a) Access allowed for request from loopback address for any page.
        !           132: 
        !           133: (b) For any page except /adm/test, access allowed if at least one of the following applies:
        !           134:     (a) If request is from a LON-CAPA server, if at least one domain hosted on 
        !           135:         requesting machine is also a domain hosted on this server. 
        !           136:     (b) IP address of requesting server is listed in domain configuration list
        !           137:         of allowed machines for any of the domains hosted on this server
        !           138:     (c) If requestor has an active LON-CAPA session -- checked using
        !           139:         LONCAPA::loncgi::check_cookie_and_load_env() -- access allowed 
        !           140:         AND one of the following is true:
        !           141:         (i) Requestor has LON-CAPA superuser role
        !           142:         (ii) Requestor's role is Domain Coordinator in one of the domains
        !           143:              hosted on this server
        !           144:         (iii) Domain configurations for domains hosted on this server include
        !           145:               the requestor as one of the named users (username:domain) with access
        !           146:               to the page.
        !           147: 
        !           148: (c) /adm/test
        !           149:     Access requires a valid session - checked using 
        !           150:     LONCAPA::loncgi::check_cookie_and_load_env(). 
        !           151:     If so, access is allowed if one of the following is true:
        !           152:     (i) Requestor has LON-CAPA superuser role, or
        !           153:     (ii) Requestor's role is Domain Coordinator in one of the domains
        !           154:          hosted on this server
        !           155:     (iii) Domain configurations for domains hosted on this server include
        !           156:           the requestor as one of the named users (username:domain) with access
        !           157:           to the page.
        !           158:     (iv) IP address of requestor is listed in domain configuration list
        !           159:          of allowed machines for any of the domains hosted on this server
        !           160: 
        !           161: =cut 
        !           162: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>