Annotation of loncom/auth/lonwebdavacc.pm, revision 1.5

1.1       raeburn     1: # The LearningOnline Network
                      2: # Authorization Handler for webDAV access to Authoring Space. 
                      3: #
1.5     ! raeburn     4: # $Id: lonwebdavacc.pm,v 1.4 2015/05/29 18:42:01 raeburn Exp $
1.1       raeburn     5: #
                      6: # Copyright Michigan State University Board of Trustees
                      7: #
                      8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                      9: #
                     10: # LON-CAPA is free software; you can redistribute it and/or modify
                     11: # it under the terms of the GNU General Public License as published by
                     12: # the Free Software Foundation; either version 2 of the License, or
                     13: # (at your option) any later version.
                     14: #
                     15: # LON-CAPA is distributed in the hope that it will be useful,
                     16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
                     17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     18: # GNU General Public License for more details.
                     19: #
                     20: # You should have received a copy of the GNU General Public License
                     21: # along with LON-CAPA; if not, write to the Free Software
                     22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     23: #
                     24: # /home/httpd/html/adm/gpl.txt
                     25: #
                     26: # http://www.lon-capa.org/
                     27: #
                     28: 
                     29: =pod
                     30: 
                     31: =head1 NAME
                     32: 
                     33: Apache::lonwebdavacc - webDAV Authorization Handler
                     34: 
                     35: =head1 SYNOPSIS
                     36: 
1.4       raeburn    37: Invoked for ^/+webdav/[\w\-.]+/\w[\w.\-\@]+/ by
1.1       raeburn    38: /etc/httpd/conf/loncapa_apache.conf:
                     39: 
                     40: PerlAccessHandler       Apache::lonwebdavacc
                     41: 
                     42: =head1 INTRODUCTION
                     43: 
                     44: This module enables authorization for authoring space
                     45: and is used to control access for the following type of URI:
                     46: 
1.4       raeburn    47:  <LocationMatch "^/+webdav/[\w\-.]+/\w[\w.\-\@]+/">
1.1       raeburn    48: 
                     49: This module is only called following successful authentication. 
1.5     ! raeburn    50: Successful authentication will have created a session file and
1.1       raeburn    51: transferred the contents to the user's environment.
                     52: 
1.5     ! raeburn    53: Note: because Apache Basic Auth is used for authentication 
1.1       raeburn    54: webDAV access is only available for servers running Apache with SSL.
                     55: 
                     56: This is part of the LearningOnline Network with CAPA project
                     57: described at http://www.lon-capa.org.
                     58: 
                     59: =head1 HANDLER SUBROUTINE
                     60: 
                     61: This routine is called by Apache and mod_perl.
                     62: 
                     63: =over 4
                     64: 
                     65: =item *
                     66: 
                     67: Checks if $env{'user.environment'} is defined.
                     68: 
                     69: =item *
                     70: 
1.5     ! raeburn    71: If no %env, calls Apache::lonnet::check_for_valid_session() 
        !            72: to retrieve a valid sessionID (webDAV client needs to support
        !            73: cookies for session retrieval to be successful). If a session is
        !            74: found Apache::lonnet::transfer_profile_to_env() is called 
        !            75: to populate %env.
1.1       raeburn    76: 
                     77: =item *
                     78: 
                     79: Checks if requested URL (of form /webdav/authordomain/authorname) is valid
                     80: and whether authenticated user has an active author or co-author
1.5     ! raeburn    81: role in the corresponding Authoring Space. 
1.1       raeburn    82: 
                     83: =back
                     84: 
                     85: =head1 NOTABLE SUBROUTINES
                     86: 
                     87: =over
                     88: 
                     89: =item * sso_login()
                     90: 
                     91: =over 
                     92: 
                     93: =item *
                     94: 
1.5     ! raeburn    95: Not currently used.
1.1       raeburn    96: 
                     97: =item *
                     98: 
                     99: Checks if $r->user contains a valid user.
                    100: 
                    101: =item *
                    102: 
                    103: Domain is set either from lonSSOUserDomain perlvar (if defined)
                    104: or from lonDefDomain perlvar.
                    105:  
                    106: =item *
                    107: 
                    108: For a valid user a new session file and is created, and the corresponding 
                    109: cookie is returned to the client in an Apache response header.
                    110: 
                    111: =back
                    112: 
                    113: =back
                    114: 
                    115: =cut
                    116: 
                    117: package Apache::lonwebdavacc;
                    118: 
                    119: use strict;
                    120: use GDBM_File;
                    121: use Apache::Constants qw(:common :http :methods);
                    122: use Apache::lonnet;
1.2       raeburn   123: use Apache::londiff();
1.1       raeburn   124: use LONCAPA qw(:DEFAULT :match);
                    125: 
                    126: sub handler {
                    127:     my $r = shift;
                    128:     my $timetolive = 600;
                    129:     my $now = time;
                    130:     my $sessiondir=$r->dir_config('lonDAVsessDir');
                    131: 
1.4       raeburn   132:     my ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
                    133:     my $author = "$aname:$adom";
1.1       raeburn   134:     unless ($env{'user.environment'}) {
                    135:         my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
1.5     ! raeburn   136:         if ($handle ne '') {
        !           137:             &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
1.1       raeburn   138:         } else {
1.5     ! raeburn   139:             return FORBIDDEN;
1.1       raeburn   140:         }
                    141:     }
                    142:     my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'});
                    143:     if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
                    144:         return FORBIDDEN;
                    145:     }
                    146: 
                    147:     my $docroot = $r->dir_config('lonDocRoot');
                    148:     if ($adom eq '' || $aname eq '') {
                    149:         return FORBIDDEN;
                    150:     } elsif (!-d "$docroot/priv/$adom/$aname") {
                    151:         return FORBIDDEN;
                    152:     }
1.2       raeburn   153:     my $allowed;  
1.1       raeburn   154:     if (($env{'user.name'} eq $aname) && ($env{'user.domain'} eq $adom)) {
                    155:         if ($env{"user.role.au./$adom/"}) {
1.2       raeburn   156:             $allowed = 1;
1.1       raeburn   157:         }
                    158:     } else {
                    159:         if (($env{"user.role.ca./$adom/$aname"}) ||
                    160:             (env{"user.role.aa./$adom/$aname"})) {
1.2       raeburn   161:             $allowed = 1;
1.1       raeburn   162:         }
                    163:     }
1.2       raeburn   164:     if ($allowed) {
                    165:         my $method = $r->method();
                    166:         if (($r->filename =~ /.+\.(log|bak|meta|save)$/) || ($r->filename =~ /\.\d+\.\w+$/) || 
                    167:             ($r->filename =~ m{/\.+[^_/]+$})) {
                    168:             if (($method eq 'MKCOL') || ($method eq 'PUT')) {
                    169:                 return FORBIDDEN;
                    170:             } elsif ($method eq 'MOVE') {
                    171:                 if (($r->filename =~ /\.\d+\.\w+$/) || ($r->filename =~ m{/\.+[^_/]+$})) {
                    172:                     return FORBIDDEN;
                    173:                 }
                    174:             }
                    175:         }
                    176:         if (($method eq 'DELETE') || ($method eq 'MOVE')) {
                    177:             unless (($r->filename =~ m{/\._[^/]+$}) || ($r->filename =~ m{/\.DS_Store$})) {
                    178:                 my $dirptr=16384;
                    179:                 my ($cmode,$cmtime)=(stat($r->filename))[2,9];
                    180:                 if (($cmode&$dirptr)) {
                    181:                     my $numpub = 0;
                    182:                     $numpub = &recurse_dir($r->filename,$r->dir_config('lonDocRoot'),$numpub);
                    183:                     if ($numpub) {
                    184:                         return FORBIDDEN;
                    185:                     }
                    186:                 } else {
                    187:                     if ($r->filename =~ /^(.+)\.(log|bak|save|meta)$/) {
                    188:                         my $conjugate = $1;
                    189:                         my $type = $2; 
                    190:                         if (($type eq 'log') || ($type eq 'meta')) {
                    191:                             if (-e $conjugate) {
                    192:                                 my $conjstatus = &pubstatus($conjugate,$r->dir_config('lonDocRoot'));
                    193:                                 unless (($conjstatus eq 'unpublished') || ($conjstatus eq 'obsolete')) {
                    194:                                     return FORBIDDEN;
                    195:                                 }
                    196:                             }
                    197:                         }
                    198:                     } else {
                    199:                         my $status = &pubstatus($r->filename,$r->dir_config('lonDocRoot'));
                    200:                         unless (($status eq 'unpublished') || ($status eq 'obsolete')) {
                    201:                             return FORBIDDEN;
                    202:                         }
                    203:                     }
                    204:                 }
                    205:             }
                    206:         }
                    207:         return OK;
                    208:     }
1.1       raeburn   209:     return FORBIDDEN;
                    210: }
                    211: 
                    212: sub sso_login {
1.4       raeburn   213:     my ($r,$sessiondir,$now,$timetolive,$author) = @_;
1.1       raeburn   214:     my ($uname,$udom);
                    215:     my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);
                    216:     unless ($uname =~ /^$match_username$/) {
                    217:         return;
                    218:     }
                    219:     $udom = $r->dir_config('lonSSOUserDomain');
                    220:     if ($udom eq '') {
                    221:         $udom = $r->dir_config('lonDefDomain');
                    222:     }
                    223:     unless (($udom =~ /^$match_domain$/)) {
                    224:         return;
                    225:     }
                    226:     my $uhome = &Apache::lonnet::homeserver($uname,$udom);
                    227:     if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
                    228:         return;
                    229:     }
                    230:     my $handle = 
1.4       raeburn   231:         &Apache::lonwebdavauth::init_webdav_env($r,$sessiondir,$uname,$udom,
                    232:                                                 $uhome,$now,$timetolive,$author);
1.1       raeburn   233:     if ($handle ne '') {
1.4       raeburn   234:         if (&Apache::lonnet::usertools_access($uname,$udom,'webdav')) {
                    235:             my ($webdav) =
                    236:                 ($r->uri =~ m{^(/webdav/$match_domain/$match_username/)});
                    237:             &Apache::lonnet::log($udom,$uname,$uhome,
                    238:                                  "SSO log-in to $webdav from $ENV{'REMOTE_ADDR'}");
                    239:             my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
                    240:             $r->header_out('Set-cookie' => $cookie);
                    241:             $r->send_http_header;
                    242:         }
1.1       raeburn   243:     }
                    244:     return ($handle);
                    245: }
                    246: 
1.2       raeburn   247: sub pubstatus {
                    248:     my ($fn,$docroot,$cmtime) = @_;
                    249:     my $privfn = $fn;
                    250:     my $thisdisfn = $fn;
                    251:     $thisdisfn=~s/^\Q$docroot\E\/priv//;
                    252:     my $resfn=$docroot.'/res'.$thisdisfn;
                    253:     my $targetfn = '/res'.$thisdisfn;
                    254:     my $status = 'unpublished';
                    255:     if (-e $resfn) {
                    256:         $status = 'published';
                    257:         my $same = 0;
                    258:         if ((stat($resfn))[9] >= $cmtime) {
                    259:             $same = 1;
                    260:         } else {
                    261:             if (&Apache::londiff::are_different_files($resfn,$privfn)) {
                    262:                 $same = 0;
                    263:             } else {
                    264:                 $same = 1;
                    265:             }
                    266:         }
                    267:         if ($same) {
                    268:             if (&Apache::lonnet::metadata($targetfn,'obsolete')) {
                    269:                 $status = 'obsolete';
                    270:             }
                    271:         }
                    272:     }
                    273:     return $status;
                    274: }
                    275: 
                    276: sub recurse_dir {
                    277:     my ($dirname,$docroot,$numpub) = @_;
                    278:     $dirname =~ s{/$}{};
                    279:     my $dirptr=16384;
                    280:     if (opendir(my $dirh,$dirname)) {
                    281:         my @items = readdir($dirh);
                    282:         closedir($dirh);
                    283:         foreach my $item (@items) {
                    284:             next if ($item =~ /.+\.(log|bak|save|meta)$/);
                    285:             next if ($item =~ /^\.+/);
                    286:             my ($cmode,$cmtime)=(stat("$dirname/$item"))[2,9];
                    287:             if (!($cmode&$dirptr)) {
                    288:                 if (&pubstatus("$dirname/$item",$docroot,$cmtime) eq 'published') {
                    289:                     $numpub ++;
                    290:                 }
                    291:             } else {
1.3       raeburn   292:                 $numpub = &recurse_dir("$dirname/$item",$docroot,$numpub);
1.2       raeburn   293:             }
                    294:         }
                    295:     }
                    296:     return $numpub;
                    297: }
                    298: 
1.1       raeburn   299: 1;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>