Annotation of loncom/auth/lonwebdavacc.pm, revision 1.2
1.1 raeburn 1: # The LearningOnline Network
2: # Authorization Handler for webDAV access to Authoring Space.
3: #
1.2 ! raeburn 4: # $Id: lonwebdavacc.pm,v 1.1 2012/02/27 03:06:33 raeburn Exp $
1.1 raeburn 5: #
6: # Copyright Michigan State University Board of Trustees
7: #
8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
9: #
10: # LON-CAPA is free software; you can redistribute it and/or modify
11: # it under the terms of the GNU General Public License as published by
12: # the Free Software Foundation; either version 2 of the License, or
13: # (at your option) any later version.
14: #
15: # LON-CAPA is distributed in the hope that it will be useful,
16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18: # GNU General Public License for more details.
19: #
20: # You should have received a copy of the GNU General Public License
21: # along with LON-CAPA; if not, write to the Free Software
22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23: #
24: # /home/httpd/html/adm/gpl.txt
25: #
26: # http://www.lon-capa.org/
27: #
28:
29: =pod
30:
31: =head1 NAME
32:
33: Apache::lonwebdavacc - webDAV Authorization Handler
34:
35: =head1 SYNOPSIS
36:
37: Invoked for /+webdav/[\w\-]+/[\w\-]+/ by
38: /etc/httpd/conf/loncapa_apache.conf:
39:
40: PerlAccessHandler Apache::lonwebdavacc
41:
42: =head1 INTRODUCTION
43:
44: This module enables authorization for authoring space
45: and is used to control access for the following type of URI:
46:
47: <LocationMatch "^/webdav/[\w\-]+/[\w\-]+>
48:
49: This module is only called following successful authentication.
50: Unless lonOtherAuthen has been set, so Single Sign On can be used,
51: successful authentication will have created a session file and
52: transferred the contents to the user's environment.
53:
54: In the case of SSO, there is no existing user environment, but
55: $r->user will have been set to the user's username, following
56: successful authentication. For SSO, the webDAV session file
57: and environment are set up by a call to
58: Apache::lonwebdavauth::init_webdav_env().
59:
60: Note: because Apache Basic Auth is used for authentication (unless SSO)
61: webDAV access is only available for servers running Apache with SSL.
62:
63: This is part of the LearningOnline Network with CAPA project
64: described at http://www.lon-capa.org.
65:
66: =head1 HANDLER SUBROUTINE
67:
68: This routine is called by Apache and mod_perl.
69:
70: =over 4
71:
72: =item *
73:
74: Checks if $env{'user.environment'} is defined.
75:
76: =item *
77:
78: If no %env, this was SSO authentication so call to &sso_login() to
79: create session, and return cookie.
80:
81: =item *
82:
83: Checks if requested URL (of form /webdav/authordomain/authorname) is valid
84: and whether authenticated user has an active author or co-author
85: role in the corresonding Author Space.
86:
87: =back
88:
89: =head1 NOTABLE SUBROUTINES
90:
91: =over
92:
93: =item * sso_login()
94:
95: =over
96:
97: =item *
98:
99: Called if no user.environment exists in %env.
100:
101: =item *
102:
103: Checks if $r->user contains a valid user.
104:
105: =item *
106:
107: Domain is set either from lonSSOUserDomain perlvar (if defined)
108: or from lonDefDomain perlvar.
109:
110: =item *
111:
112: For a valid user a new session file and is created, and the corresponding
113: cookie is returned to the client in an Apache response header.
114:
115: =back
116:
117: =back
118:
119: =cut
120:
121: package Apache::lonwebdavacc;
122:
123: use strict;
124: use GDBM_File;
125: use Apache::Constants qw(:common :http :methods);
126: use Apache::lonnet;
1.2 ! raeburn 127: use Apache::londiff();
1.1 raeburn 128: use LONCAPA qw(:DEFAULT :match);
129:
130: sub handler {
131: my $r = shift;
132: my $timetolive = 600;
133: my $now = time;
134: my $sessiondir=$r->dir_config('lonDAVsessDir');
135:
136: my ($adom,$aname);
137: unless ($env{'user.environment'}) {
138: my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
139: if ($handle eq '') {
140: $handle = &sso_login($r,$sessiondir,$now,$timetolive);
141: if ($handle eq '') {
142: return FORBIDDEN;
143: }
144: } else {
145: &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
146: }
147: }
148: my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'});
149: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
150: return FORBIDDEN;
151: }
152:
153: ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
154: my $docroot = $r->dir_config('lonDocRoot');
155: if ($adom eq '' || $aname eq '') {
156: return FORBIDDEN;
157: } elsif (!-d "$docroot/priv/$adom/$aname") {
158: return FORBIDDEN;
159: }
1.2 ! raeburn 160: my $allowed;
1.1 raeburn 161: if (($env{'user.name'} eq $aname) && ($env{'user.domain'} eq $adom)) {
162: if ($env{"user.role.au./$adom/"}) {
1.2 ! raeburn 163: $allowed = 1;
1.1 raeburn 164: }
165: } else {
166: if (($env{"user.role.ca./$adom/$aname"}) ||
167: (env{"user.role.aa./$adom/$aname"})) {
1.2 ! raeburn 168: $allowed = 1;
1.1 raeburn 169: }
170: }
1.2 ! raeburn 171: if ($allowed) {
! 172: my $method = $r->method();
! 173: if (($r->filename =~ /.+\.(log|bak|meta|save)$/) || ($r->filename =~ /\.\d+\.\w+$/) ||
! 174: ($r->filename =~ m{/\.+[^_/]+$})) {
! 175: if (($method eq 'MKCOL') || ($method eq 'PUT')) {
! 176: return FORBIDDEN;
! 177: } elsif ($method eq 'MOVE') {
! 178: if (($r->filename =~ /\.\d+\.\w+$/) || ($r->filename =~ m{/\.+[^_/]+$})) {
! 179: return FORBIDDEN;
! 180: }
! 181: }
! 182: }
! 183: if (($method eq 'DELETE') || ($method eq 'MOVE')) {
! 184: unless (($r->filename =~ m{/\._[^/]+$}) || ($r->filename =~ m{/\.DS_Store$})) {
! 185: my $dirptr=16384;
! 186: my ($cmode,$cmtime)=(stat($r->filename))[2,9];
! 187: if (($cmode&$dirptr)) {
! 188: my $numpub = 0;
! 189: $numpub = &recurse_dir($r->filename,$r->dir_config('lonDocRoot'),$numpub);
! 190: if ($numpub) {
! 191: return FORBIDDEN;
! 192: }
! 193: } else {
! 194: if ($r->filename =~ /^(.+)\.(log|bak|save|meta)$/) {
! 195: my $conjugate = $1;
! 196: my $type = $2;
! 197: if (($type eq 'log') || ($type eq 'meta')) {
! 198: if (-e $conjugate) {
! 199: my $conjstatus = &pubstatus($conjugate,$r->dir_config('lonDocRoot'));
! 200: unless (($conjstatus eq 'unpublished') || ($conjstatus eq 'obsolete')) {
! 201: return FORBIDDEN;
! 202: }
! 203: }
! 204: }
! 205: } else {
! 206: my $status = &pubstatus($r->filename,$r->dir_config('lonDocRoot'));
! 207: unless (($status eq 'unpublished') || ($status eq 'obsolete')) {
! 208: return FORBIDDEN;
! 209: }
! 210: }
! 211: }
! 212: }
! 213: }
! 214: return OK;
! 215: }
1.1 raeburn 216: return FORBIDDEN;
217: }
218:
219: sub sso_login {
220: my ($r,$sessiondir,$now,$timetolive) = @_;
221: my ($uname,$udom);
222: my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);
223: unless ($uname =~ /^$match_username$/) {
224: return;
225: }
226: $udom = $r->dir_config('lonSSOUserDomain');
227: if ($udom eq '') {
228: $udom = $r->dir_config('lonDefDomain');
229: }
230: unless (($udom =~ /^$match_domain$/)) {
231: return;
232: }
233: my $uhome = &Apache::lonnet::homeserver($uname,$udom);
234: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
235: return;
236: }
237: my $handle =
238: &Apache::lonwebdavauth::init_webdav_env($sessiondir,$uname,$udom,
239: $uhome,$now,$timetolive);
240: if ($handle ne '') {
241: my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
242: $r->header_out('Set-cookie' => $cookie);
243: $r->send_http_header;
244: }
245: return ($handle);
246: }
247:
1.2 ! raeburn 248: sub pubstatus {
! 249: my ($fn,$docroot,$cmtime) = @_;
! 250: my $privfn = $fn;
! 251: my $thisdisfn = $fn;
! 252: $thisdisfn=~s/^\Q$docroot\E\/priv//;
! 253: my $resfn=$docroot.'/res'.$thisdisfn;
! 254: my $targetfn = '/res'.$thisdisfn;
! 255: my $status = 'unpublished';
! 256: if (-e $resfn) {
! 257: $status = 'published';
! 258: my $same = 0;
! 259: if ((stat($resfn))[9] >= $cmtime) {
! 260: $same = 1;
! 261: } else {
! 262: if (&Apache::londiff::are_different_files($resfn,$privfn)) {
! 263: $same = 0;
! 264: } else {
! 265: $same = 1;
! 266: }
! 267: }
! 268: if ($same) {
! 269: if (&Apache::lonnet::metadata($targetfn,'obsolete')) {
! 270: $status = 'obsolete';
! 271: }
! 272: }
! 273: }
! 274: return $status;
! 275: }
! 276:
! 277: sub recurse_dir {
! 278: my ($dirname,$docroot,$numpub) = @_;
! 279: $dirname =~ s{/$}{};
! 280: my $dirptr=16384;
! 281: if (opendir(my $dirh,$dirname)) {
! 282: my @items = readdir($dirh);
! 283: closedir($dirh);
! 284: foreach my $item (@items) {
! 285: next if ($item =~ /.+\.(log|bak|save|meta)$/);
! 286: next if ($item =~ /^\.+/);
! 287: my ($cmode,$cmtime)=(stat("$dirname/$item"))[2,9];
! 288: if (!($cmode&$dirptr)) {
! 289: if (&pubstatus("$dirname/$item",$docroot,$cmtime) eq 'published') {
! 290: $numpub ++;
! 291: }
! 292: } else {
! 293: $numpub = &recursedir("$dirname/$item",$docroot,$numpub);
! 294: }
! 295: }
! 296: }
! 297: return $numpub;
! 298: }
! 299:
1.1 raeburn 300: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lonwebdavacc.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / auth