Return to lonstatusacc.pm CVS log

Up to [LON-CAPA] / loncom / auth

- Retrieval of requestor's IP address centralized in lonnet::get_requestor_ip()
- Domain configuration to allow domain's LON-CAPA nodes to operate behind a
  WAF/Reverse Proxy using aliased hostname (CNAME).
- Web requests from other nodes bypass the WAF as their requests are made
  directly to the server hostname (A record); same for internal LON-CAPA
  connections for lonc -> lond.

#
# LON-CAPA authorization for pages generated by server-status reports 
#
# $Id: lonstatusacc.pm,v 1.8 2020/12/18 15:23:03 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
#############################################
#############################################

package Apache::lonstatusacc;

use strict;
use Apache::Constants qw(:common :http :remotehost);
use Apache::lonnet;
use LONCAPA::loncgi;
use LONCAPA::lonauthcgi;

sub handler {
    my $r = shift;
    my $reqhost = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP);
    my $page = 'server-status';
    if (($r->uri eq '/adm/domainstatus') ||
        ($r->uri eq '/adm/test')) {
        if (&LONCAPA::loncgi::check_cookie_and_load_env($r)) {
            if ($r->uri eq '/adm/domainstatus') {
                return OK;
            } elsif ($r->uri eq '/adm/test') { 
                $page = 'showenv'; 
                if (&LONCAPA::lonauthcgi::can_view($page)) {
                    return OK; 
                } elsif (&LONCAPA::lonauthcgi::check_ipbased_access($page,$reqhost)) {
                    return OK;
                } else {
                    $Apache::lonnet::env{'user.error.msg'} =
                        $r->uri.":bre:1:1:Access Denied";
                    return HTTP_NOT_ACCEPTABLE;
                }
            }
        } else {
            return FORBIDDEN;
        }
    } elsif ($r->uri ne '/server-status') {
        $page = 'lonstatus';
        if (!-e $r->filename) {
            return NOT_FOUND;
        }
    }
    if ($reqhost eq '127.0.0.1') {
        return OK;
    }
    my @hostids= &Apache::lonnet::get_hosts_from_ip($reqhost);
    my @poss_domains = &Apache::lonnet::current_machine_domains();
    if (@hostids > 0) {
        foreach my $id (@hostids) {
            if ($id ne '') {
                my $dom = &Apache::lonnet::host_domain($id);
                if ($dom ne '') {
                    if (grep(/^\Q$dom\E$/,@poss_domains)) {
                        return OK;
                    }
                }
            }
        }
    }
    if (&LONCAPA::lonauthcgi::check_ipbased_access($page,$reqhost)) {
        return OK;
    }
    if (&LONCAPA::loncgi::check_cookie_and_load_env($r)) {
        if (&LONCAPA::lonauthcgi::can_view($page)) {
            return OK;
        }
    }
    $r->log_reason("Invalid request for server status from $reqhost",
                   $r->uri);
    return FORBIDDEN;
}

1;

__END__

=head1 NAME

Apache::lonstatusacc - Access Handler for Apache's server-status page 
and also pages in lon-status directory.

=head1 SYNOPSIS

Invoked (for appropriate locations) by /etc/httpd/conf/loncapa_apache.conf

 PerlAccessHandler       Apache::lonstatusacc

=head1 INTRODUCTION

This module can support access control based on IP 
address, or based on Domain Configuration settings 
for authenticated users (via cookie).

The module is used for control of access to
(a) Apache's server-status page
(b) Status pages in the /home/httpd/html/lon-status directory
    which were generated as follows:
    (i) when loncron was last run 
        (index.html, loncron_simple.txt, loncstatus.txt, and londstatus.txt),
    (ii) when lonsql was last started 
         (mysql.txt - only on connection failure),
    (iii) when /usr/local/loncapa/bin/CHECKRPMS was last run 
         (checkrpms.txt),
    (iv) when ./UPDATE was run to install/update 
         (version.txt). 
(c) User environment information reported by /adm/test
 
This is part of the LearningOnline Network with CAPA project
described at http://www.lon-capa.org.

=head1 HANDLER SUBROUTINE

This routine is called by Apache and mod_perl.

The check for whether access is allowed for a specific page proceeds as follows:

(a) Access allowed for request from loopback address for any page.

(b) For any page except /adm/test, access allowed if at least one of the following applies:
    (a) If request is from a LON-CAPA server, if at least one domain hosted on 
        requesting machine is also a domain hosted on this server. 
    (b) IP address of requesting server is listed in domain configuration list
        of allowed machines for any of the domains hosted on this server
    (c) If requestor has an active LON-CAPA session -- checked using
        LONCAPA::loncgi::check_cookie_and_load_env() -- access allowed 
        AND one of the following is true:
        (i) Requestor has LON-CAPA superuser role
        (ii) Requestor's role is Domain Coordinator in one of the domains
             hosted on this server
        (iii) Domain configurations for domains hosted on this server include
              the requestor as one of the named users (username:domain) with access
              to the page.

(c) /adm/test
    Access requires a valid session - checked using 
    LONCAPA::loncgi::check_cookie_and_load_env(). 
    If so, access is allowed if one of the following is true:
    (i) Requestor's role is LON-CAPA superuser role.
    (ii) Requestor has a Domain Coordinator role in the domain of the
         requestor ($env{'user.domain'}), regardless of requestor's role.
    (iii) Domain configurations for the domain of the current user include
          the requestor as one of the named users (username:domain) with access
          to the page.
    (iv) IP address of requestor is listed in domain configuration list
         of allowed IPs for the domain of the current user.

=cut