Annotation of loncom/auth/lonwebdavacc.pm, revision 1.1

1.1     ! raeburn     1: # The LearningOnline Network
        !             2: # Authorization Handler for webDAV access to Authoring Space. 
        !             3: #
        !             4: # $Id: lonwebdavacc.pm,v 1.1 2012/2/25 19:37:40 raeburn Exp $
        !             5: #
        !             6: # Copyright Michigan State University Board of Trustees
        !             7: #
        !             8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
        !             9: #
        !            10: # LON-CAPA is free software; you can redistribute it and/or modify
        !            11: # it under the terms of the GNU General Public License as published by
        !            12: # the Free Software Foundation; either version 2 of the License, or
        !            13: # (at your option) any later version.
        !            14: #
        !            15: # LON-CAPA is distributed in the hope that it will be useful,
        !            16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
        !            17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        !            18: # GNU General Public License for more details.
        !            19: #
        !            20: # You should have received a copy of the GNU General Public License
        !            21: # along with LON-CAPA; if not, write to the Free Software
        !            22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
        !            23: #
        !            24: # /home/httpd/html/adm/gpl.txt
        !            25: #
        !            26: # http://www.lon-capa.org/
        !            27: #
        !            28: 
        !            29: =pod
        !            30: 
        !            31: =head1 NAME
        !            32: 
        !            33: Apache::lonwebdavacc - webDAV Authorization Handler
        !            34: 
        !            35: =head1 SYNOPSIS
        !            36: 
        !            37: Invoked for /+webdav/[\w\-]+/[\w\-]+/ by
        !            38: /etc/httpd/conf/loncapa_apache.conf:
        !            39: 
        !            40: PerlAccessHandler       Apache::lonwebdavacc
        !            41: 
        !            42: =head1 INTRODUCTION
        !            43: 
        !            44: This module enables authorization for authoring space
        !            45: and is used to control access for the following type of URI:
        !            46: 
        !            47:  <LocationMatch "^/webdav/[\w\-]+/[\w\-]+>
        !            48: 
        !            49: This module is only called following successful authentication. 
        !            50: Unless lonOtherAuthen has been set, so Single Sign On can be used,
        !            51: successful authentication will have created a session file and
        !            52: transferred the contents to the user's environment.
        !            53: 
        !            54: In the case of SSO, there is no existing user environment, but  
        !            55: $r->user will have been set to the user's username, following 
        !            56: successful authentication.  For SSO, the webDAV session file
        !            57: and environment are set up by a call to 
        !            58: Apache::lonwebdavauth::init_webdav_env().
        !            59: 
        !            60: Note: because Apache Basic Auth is used for authentication (unless SSO)
        !            61: webDAV access is only available for servers running Apache with SSL.
        !            62: 
        !            63: This is part of the LearningOnline Network with CAPA project
        !            64: described at http://www.lon-capa.org.
        !            65: 
        !            66: =head1 HANDLER SUBROUTINE
        !            67: 
        !            68: This routine is called by Apache and mod_perl.
        !            69: 
        !            70: =over 4
        !            71: 
        !            72: =item *
        !            73: 
        !            74: Checks if $env{'user.environment'} is defined.
        !            75: 
        !            76: =item *
        !            77: 
        !            78: If no %env, this was SSO authentication so call to &sso_login() to
        !            79: create session, and return cookie. 
        !            80: 
        !            81: =item *
        !            82: 
        !            83: Checks if requested URL (of form /webdav/authordomain/authorname) is valid
        !            84: and whether authenticated user has an active author or co-author
        !            85: role in the corresonding Author Space. 
        !            86: 
        !            87: =back
        !            88: 
        !            89: =head1 NOTABLE SUBROUTINES
        !            90: 
        !            91: =over
        !            92: 
        !            93: =item * sso_login()
        !            94: 
        !            95: =over 
        !            96: 
        !            97: =item *
        !            98: 
        !            99: Called if no user.environment exists in %env.
        !           100: 
        !           101: =item *
        !           102: 
        !           103: Checks if $r->user contains a valid user.
        !           104: 
        !           105: =item *
        !           106: 
        !           107: Domain is set either from lonSSOUserDomain perlvar (if defined)
        !           108: or from lonDefDomain perlvar.
        !           109:  
        !           110: =item *
        !           111: 
        !           112: For a valid user a new session file and is created, and the corresponding 
        !           113: cookie is returned to the client in an Apache response header.
        !           114: 
        !           115: =back
        !           116: 
        !           117: =back
        !           118: 
        !           119: =cut
        !           120: 
        !           121: package Apache::lonwebdavacc;
        !           122: 
        !           123: use strict;
        !           124: use GDBM_File;
        !           125: use Apache::Constants qw(:common :http :methods);
        !           126: use Apache::lonnet;
        !           127: use LONCAPA qw(:DEFAULT :match);
        !           128: 
        !           129: sub handler {
        !           130:     my $r = shift;
        !           131:     my $timetolive = 600;
        !           132:     my $now = time;
        !           133:     my $sessiondir=$r->dir_config('lonDAVsessDir');
        !           134: 
        !           135:     my ($adom,$aname);
        !           136:     unless ($env{'user.environment'}) {
        !           137:         my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
        !           138:         if ($handle eq '') {
        !           139:             $handle = &sso_login($r,$sessiondir,$now,$timetolive);
        !           140:             if ($handle eq '') {
        !           141:                 return FORBIDDEN;
        !           142:             }
        !           143:         } else {
        !           144:             &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
        !           145:         }
        !           146:     }
        !           147:     my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'});
        !           148:     if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
        !           149:         return FORBIDDEN;
        !           150:     }
        !           151: 
        !           152:     ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
        !           153:     my $docroot = $r->dir_config('lonDocRoot');
        !           154:     if ($adom eq '' || $aname eq '') {
        !           155:         return FORBIDDEN;
        !           156:     } elsif (!-d "$docroot/priv/$adom/$aname") {
        !           157:         return FORBIDDEN;
        !           158:     }
        !           159:     # FIXME method check for MKCOL MOVE PUT DELETE for *.log, *.bak
        !           160:     # FIXME method check for regexp for "version-style" names: /\.\d+\.\w+$/
        !           161:     # for MOVE PUT MKCOL 
        !           162:     if (($env{'user.name'} eq $aname) && ($env{'user.domain'} eq $adom)) {
        !           163:         if ($env{"user.role.au./$adom/"}) {
        !           164:             return OK;
        !           165:         }
        !           166:     } else {
        !           167:         if (($env{"user.role.ca./$adom/$aname"}) ||
        !           168:             (env{"user.role.aa./$adom/$aname"})) {
        !           169:             return OK;
        !           170:         }
        !           171:     }
        !           172:     return FORBIDDEN;
        !           173: }
        !           174: 
        !           175: sub sso_login {
        !           176:     my ($r,$sessiondir,$now,$timetolive) = @_;
        !           177:     my ($uname,$udom);
        !           178:     my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);
        !           179:     unless ($uname =~ /^$match_username$/) {
        !           180:         return;
        !           181:     }
        !           182:     $udom = $r->dir_config('lonSSOUserDomain');
        !           183:     if ($udom eq '') {
        !           184:         $udom = $r->dir_config('lonDefDomain');
        !           185:     }
        !           186:     unless (($udom =~ /^$match_domain$/)) {
        !           187:         return;
        !           188:     }
        !           189:     my $uhome = &Apache::lonnet::homeserver($uname,$udom);
        !           190:     if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
        !           191:         return;
        !           192:     }
        !           193:     my $handle = 
        !           194:         &Apache::lonwebdavauth::init_webdav_env($sessiondir,$uname,$udom,
        !           195:                                                 $uhome,$now,$timetolive);
        !           196:     if ($handle ne '') {
        !           197:         my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
        !           198:         $r->header_out('Set-cookie' => $cookie);
        !           199:         $r->send_http_header;
        !           200:     }
        !           201:     return ($handle);
        !           202: }
        !           203: 
        !           204: 1;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>