Annotation of loncom/auth/lonstatusacc.pm, revision 1.5
1.1 raeburn 1: #
2: # LON-CAPA authorization for pages generated by server-status reports
3: #
1.5 ! raeburn 4: # $Id: lonstatusacc.pm,v 1.4 2008/12/25 01:52:56 raeburn Exp $
1.1 raeburn 5: #
6: # Copyright Michigan State University Board of Trustees
7: #
8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
9: #
10: # LON-CAPA is free software; you can redistribute it and/or modify
11: # it under the terms of the GNU General Public License as published by
12: # the Free Software Foundation; either version 2 of the License, or
13: # (at your option) any later version.
14: #
15: # LON-CAPA is distributed in the hope that it will be useful,
16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18: # GNU General Public License for more details.
19: #
20: # You should have received a copy of the GNU General Public License
21: # along with LON-CAPA; if not, write to the Free Software
22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23: #
24: # /home/httpd/html/adm/gpl.txt
25: #
26: # http://www.lon-capa.org/
27: #
28: #############################################
29: #############################################
30:
31: package Apache::lonstatusacc;
32:
33: use strict;
1.3 raeburn 34: use Apache::Constants qw(:common :http :remotehost);
1.1 raeburn 35: use Apache::lonnet;
36: use LONCAPA::loncgi;
1.4 raeburn 37: use LONCAPA::lonauthcgi;
1.1 raeburn 38:
39: sub handler {
40: my $r = shift;
41: my $reqhost = $r->get_remote_host(REMOTE_NOLOOKUP);
1.5 ! raeburn 42: my $page = 'server-status';
1.3 raeburn 43: if (($r->uri eq '/adm/domainstatus') ||
44: ($r->uri eq '/adm/test')) {
1.2 raeburn 45: if (&LONCAPA::loncgi::check_cookie_and_load_env($r)) {
1.3 raeburn 46: if ($r->uri eq '/adm/domainstatus') {
1.1 raeburn 47: return OK;
1.3 raeburn 48: } elsif ($r->uri eq '/adm/test') {
49: $page = 'showenv';
1.4 raeburn 50: if (&LONCAPA::lonauthcgi::can_view($page)) {
1.3 raeburn 51: return OK;
1.4 raeburn 52: } elsif (&LONCAPA::lonauthcgi::check_ipbased_access($page,$reqhost)) {
1.3 raeburn 53: return OK;
54: } else {
55: $Apache::lonnet::env{'user.error.msg'} =
56: $r->uri.":bre:1:1:Access Denied";
57: return HTTP_NOT_ACCEPTABLE;
58: }
1.1 raeburn 59: }
1.3 raeburn 60: } else {
61: return FORBIDDEN;
1.1 raeburn 62: }
63: } elsif ($r->uri ne '/server-status') {
64: $page = 'lonstatus';
65: if (!-e $r->filename) {
66: return NOT_FOUND;
67: }
68: }
69: if ($reqhost eq '127.0.0.1') {
70: return OK;
71: }
72: my @hostids= &Apache::lonnet::get_hosts_from_ip($reqhost);
73: my @poss_domains = &Apache::lonnet::current_machine_domains();
74: if (@hostids > 0) {
75: foreach my $id (@hostids) {
76: if ($id ne '') {
77: my $dom = &Apache::lonnet::host_domain($id);
78: if ($dom ne '') {
79: if (grep(/^\Q$dom\E$/,@poss_domains)) {
80: return OK;
81: }
82: }
83: }
84: }
1.4 raeburn 85: } elsif (&LONCAPA::lonauthcgi::check_ipbased_access($page,$reqhost)) {
1.1 raeburn 86: return OK;
87: } else {
1.2 raeburn 88: if (&LONCAPA::loncgi::check_cookie_and_load_env($r)) {
1.4 raeburn 89: if (&LONCAPA::lonauthcgi::can_view($page)) {
1.1 raeburn 90: return OK;
91: }
92: }
93: }
94: $r->log_reason("Invalid request for server status from $reqhost",
95: $r->uri);
96: return FORBIDDEN;
97: }
98:
99: 1;
100:
101: __END__
102:
103: =head1 NAME
104:
105: Apache::lonstatusacc - Access Handler for Apache's server-status page
106: and also pages in lon-status directory.
107:
108: =head1 SYNOPSIS
109:
110: Invoked (for appropriate locations) by /etc/httpd/conf/loncapa_apache.conf
111:
112: PerlAccessHandler Apache::lonstatusacc
113:
114: =head1 INTRODUCTION
115:
116: This module can support access control based on IP
117: address, or based on Domain Configuration settings
118: for authenticated users (via cookie).
119:
120: The module is used for control of access to
121: (a) Apache's server-status page
122: (b) Status pages in the /home/httpd/html/lon-status directory
123: which were generated as follows:
124: (i) when loncron was last run
125: (index.html, loncron_simple.txt, loncstatus.txt, and londstatus.txt),
126: (ii) when lonsql was last started
127: (mysql.txt - only on connection failure),
128: (iii) when /usr/local/loncapa/bin/CHECKRPMS was last run
129: (checkrpms.txt),
130: (iv) when ./UPDATE was run to install/update
131: (version.txt).
132: (c) User environment information reported by /adm/test
133:
134: This is part of the LearningOnline Network with CAPA project
135: described at http://www.lon-capa.org.
136:
137: =head1 HANDLER SUBROUTINE
138:
139: This routine is called by Apache and mod_perl.
140:
141: The check for whether access is allowed for a specific page proceeds as follows:
142:
143: (a) Access allowed for request from loopback address for any page.
144:
145: (b) For any page except /adm/test, access allowed if at least one of the following applies:
146: (a) If request is from a LON-CAPA server, if at least one domain hosted on
147: requesting machine is also a domain hosted on this server.
148: (b) IP address of requesting server is listed in domain configuration list
149: of allowed machines for any of the domains hosted on this server
150: (c) If requestor has an active LON-CAPA session -- checked using
151: LONCAPA::loncgi::check_cookie_and_load_env() -- access allowed
152: AND one of the following is true:
153: (i) Requestor has LON-CAPA superuser role
154: (ii) Requestor's role is Domain Coordinator in one of the domains
155: hosted on this server
156: (iii) Domain configurations for domains hosted on this server include
157: the requestor as one of the named users (username:domain) with access
158: to the page.
159:
160: (c) /adm/test
161: Access requires a valid session - checked using
162: LONCAPA::loncgi::check_cookie_and_load_env().
163: If so, access is allowed if one of the following is true:
164: (i) Requestor has LON-CAPA superuser role, or
165: (ii) Requestor's role is Domain Coordinator in one of the domains
166: hosted on this server
167: (iii) Domain configurations for domains hosted on this server include
168: the requestor as one of the named users (username:domain) with access
169: to the page.
170: (iv) IP address of requestor is listed in domain configuration list
171: of allowed machines for any of the domains hosted on this server
172:
173: =cut
174:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>