Annotation of loncom/auth/lonwebdavacc.pm, revision 1.5
1.1 raeburn 1: # The LearningOnline Network
2: # Authorization Handler for webDAV access to Authoring Space.
3: #
1.5 ! raeburn 4: # $Id: lonwebdavacc.pm,v 1.4 2015/05/29 18:42:01 raeburn Exp $
1.1 raeburn 5: #
6: # Copyright Michigan State University Board of Trustees
7: #
8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
9: #
10: # LON-CAPA is free software; you can redistribute it and/or modify
11: # it under the terms of the GNU General Public License as published by
12: # the Free Software Foundation; either version 2 of the License, or
13: # (at your option) any later version.
14: #
15: # LON-CAPA is distributed in the hope that it will be useful,
16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18: # GNU General Public License for more details.
19: #
20: # You should have received a copy of the GNU General Public License
21: # along with LON-CAPA; if not, write to the Free Software
22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23: #
24: # /home/httpd/html/adm/gpl.txt
25: #
26: # http://www.lon-capa.org/
27: #
28:
29: =pod
30:
31: =head1 NAME
32:
33: Apache::lonwebdavacc - webDAV Authorization Handler
34:
35: =head1 SYNOPSIS
36:
1.4 raeburn 37: Invoked for ^/+webdav/[\w\-.]+/\w[\w.\-\@]+/ by
1.1 raeburn 38: /etc/httpd/conf/loncapa_apache.conf:
39:
40: PerlAccessHandler Apache::lonwebdavacc
41:
42: =head1 INTRODUCTION
43:
44: This module enables authorization for authoring space
45: and is used to control access for the following type of URI:
46:
1.4 raeburn 47: <LocationMatch "^/+webdav/[\w\-.]+/\w[\w.\-\@]+/">
1.1 raeburn 48:
49: This module is only called following successful authentication.
1.5 ! raeburn 50: Successful authentication will have created a session file and
1.1 raeburn 51: transferred the contents to the user's environment.
52:
1.5 ! raeburn 53: Note: because Apache Basic Auth is used for authentication
1.1 raeburn 54: webDAV access is only available for servers running Apache with SSL.
55:
56: This is part of the LearningOnline Network with CAPA project
57: described at http://www.lon-capa.org.
58:
59: =head1 HANDLER SUBROUTINE
60:
61: This routine is called by Apache and mod_perl.
62:
63: =over 4
64:
65: =item *
66:
67: Checks if $env{'user.environment'} is defined.
68:
69: =item *
70:
1.5 ! raeburn 71: If no %env, calls Apache::lonnet::check_for_valid_session()
! 72: to retrieve a valid sessionID (webDAV client needs to support
! 73: cookies for session retrieval to be successful). If a session is
! 74: found Apache::lonnet::transfer_profile_to_env() is called
! 75: to populate %env.
1.1 raeburn 76:
77: =item *
78:
79: Checks if requested URL (of form /webdav/authordomain/authorname) is valid
80: and whether authenticated user has an active author or co-author
1.5 ! raeburn 81: role in the corresponding Authoring Space.
1.1 raeburn 82:
83: =back
84:
85: =head1 NOTABLE SUBROUTINES
86:
87: =over
88:
89: =item * sso_login()
90:
91: =over
92:
93: =item *
94:
1.5 ! raeburn 95: Not currently used.
1.1 raeburn 96:
97: =item *
98:
99: Checks if $r->user contains a valid user.
100:
101: =item *
102:
103: Domain is set either from lonSSOUserDomain perlvar (if defined)
104: or from lonDefDomain perlvar.
105:
106: =item *
107:
108: For a valid user a new session file and is created, and the corresponding
109: cookie is returned to the client in an Apache response header.
110:
111: =back
112:
113: =back
114:
115: =cut
116:
117: package Apache::lonwebdavacc;
118:
119: use strict;
120: use GDBM_File;
121: use Apache::Constants qw(:common :http :methods);
122: use Apache::lonnet;
1.2 raeburn 123: use Apache::londiff();
1.1 raeburn 124: use LONCAPA qw(:DEFAULT :match);
125:
126: sub handler {
127: my $r = shift;
128: my $timetolive = 600;
129: my $now = time;
130: my $sessiondir=$r->dir_config('lonDAVsessDir');
131:
1.4 raeburn 132: my ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
133: my $author = "$aname:$adom";
1.1 raeburn 134: unless ($env{'user.environment'}) {
135: my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
1.5 ! raeburn 136: if ($handle ne '') {
! 137: &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
1.1 raeburn 138: } else {
1.5 ! raeburn 139: return FORBIDDEN;
1.1 raeburn 140: }
141: }
142: my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'});
143: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
144: return FORBIDDEN;
145: }
146:
147: my $docroot = $r->dir_config('lonDocRoot');
148: if ($adom eq '' || $aname eq '') {
149: return FORBIDDEN;
150: } elsif (!-d "$docroot/priv/$adom/$aname") {
151: return FORBIDDEN;
152: }
1.2 raeburn 153: my $allowed;
1.1 raeburn 154: if (($env{'user.name'} eq $aname) && ($env{'user.domain'} eq $adom)) {
155: if ($env{"user.role.au./$adom/"}) {
1.2 raeburn 156: $allowed = 1;
1.1 raeburn 157: }
158: } else {
159: if (($env{"user.role.ca./$adom/$aname"}) ||
160: (env{"user.role.aa./$adom/$aname"})) {
1.2 raeburn 161: $allowed = 1;
1.1 raeburn 162: }
163: }
1.2 raeburn 164: if ($allowed) {
165: my $method = $r->method();
166: if (($r->filename =~ /.+\.(log|bak|meta|save)$/) || ($r->filename =~ /\.\d+\.\w+$/) ||
167: ($r->filename =~ m{/\.+[^_/]+$})) {
168: if (($method eq 'MKCOL') || ($method eq 'PUT')) {
169: return FORBIDDEN;
170: } elsif ($method eq 'MOVE') {
171: if (($r->filename =~ /\.\d+\.\w+$/) || ($r->filename =~ m{/\.+[^_/]+$})) {
172: return FORBIDDEN;
173: }
174: }
175: }
176: if (($method eq 'DELETE') || ($method eq 'MOVE')) {
177: unless (($r->filename =~ m{/\._[^/]+$}) || ($r->filename =~ m{/\.DS_Store$})) {
178: my $dirptr=16384;
179: my ($cmode,$cmtime)=(stat($r->filename))[2,9];
180: if (($cmode&$dirptr)) {
181: my $numpub = 0;
182: $numpub = &recurse_dir($r->filename,$r->dir_config('lonDocRoot'),$numpub);
183: if ($numpub) {
184: return FORBIDDEN;
185: }
186: } else {
187: if ($r->filename =~ /^(.+)\.(log|bak|save|meta)$/) {
188: my $conjugate = $1;
189: my $type = $2;
190: if (($type eq 'log') || ($type eq 'meta')) {
191: if (-e $conjugate) {
192: my $conjstatus = &pubstatus($conjugate,$r->dir_config('lonDocRoot'));
193: unless (($conjstatus eq 'unpublished') || ($conjstatus eq 'obsolete')) {
194: return FORBIDDEN;
195: }
196: }
197: }
198: } else {
199: my $status = &pubstatus($r->filename,$r->dir_config('lonDocRoot'));
200: unless (($status eq 'unpublished') || ($status eq 'obsolete')) {
201: return FORBIDDEN;
202: }
203: }
204: }
205: }
206: }
207: return OK;
208: }
1.1 raeburn 209: return FORBIDDEN;
210: }
211:
212: sub sso_login {
1.4 raeburn 213: my ($r,$sessiondir,$now,$timetolive,$author) = @_;
1.1 raeburn 214: my ($uname,$udom);
215: my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);
216: unless ($uname =~ /^$match_username$/) {
217: return;
218: }
219: $udom = $r->dir_config('lonSSOUserDomain');
220: if ($udom eq '') {
221: $udom = $r->dir_config('lonDefDomain');
222: }
223: unless (($udom =~ /^$match_domain$/)) {
224: return;
225: }
226: my $uhome = &Apache::lonnet::homeserver($uname,$udom);
227: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
228: return;
229: }
230: my $handle =
1.4 raeburn 231: &Apache::lonwebdavauth::init_webdav_env($r,$sessiondir,$uname,$udom,
232: $uhome,$now,$timetolive,$author);
1.1 raeburn 233: if ($handle ne '') {
1.4 raeburn 234: if (&Apache::lonnet::usertools_access($uname,$udom,'webdav')) {
235: my ($webdav) =
236: ($r->uri =~ m{^(/webdav/$match_domain/$match_username/)});
237: &Apache::lonnet::log($udom,$uname,$uhome,
238: "SSO log-in to $webdav from $ENV{'REMOTE_ADDR'}");
239: my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
240: $r->header_out('Set-cookie' => $cookie);
241: $r->send_http_header;
242: }
1.1 raeburn 243: }
244: return ($handle);
245: }
246:
1.2 raeburn 247: sub pubstatus {
248: my ($fn,$docroot,$cmtime) = @_;
249: my $privfn = $fn;
250: my $thisdisfn = $fn;
251: $thisdisfn=~s/^\Q$docroot\E\/priv//;
252: my $resfn=$docroot.'/res'.$thisdisfn;
253: my $targetfn = '/res'.$thisdisfn;
254: my $status = 'unpublished';
255: if (-e $resfn) {
256: $status = 'published';
257: my $same = 0;
258: if ((stat($resfn))[9] >= $cmtime) {
259: $same = 1;
260: } else {
261: if (&Apache::londiff::are_different_files($resfn,$privfn)) {
262: $same = 0;
263: } else {
264: $same = 1;
265: }
266: }
267: if ($same) {
268: if (&Apache::lonnet::metadata($targetfn,'obsolete')) {
269: $status = 'obsolete';
270: }
271: }
272: }
273: return $status;
274: }
275:
276: sub recurse_dir {
277: my ($dirname,$docroot,$numpub) = @_;
278: $dirname =~ s{/$}{};
279: my $dirptr=16384;
280: if (opendir(my $dirh,$dirname)) {
281: my @items = readdir($dirh);
282: closedir($dirh);
283: foreach my $item (@items) {
284: next if ($item =~ /.+\.(log|bak|save|meta)$/);
285: next if ($item =~ /^\.+/);
286: my ($cmode,$cmtime)=(stat("$dirname/$item"))[2,9];
287: if (!($cmode&$dirptr)) {
288: if (&pubstatus("$dirname/$item",$docroot,$cmtime) eq 'published') {
289: $numpub ++;
290: }
291: } else {
1.3 raeburn 292: $numpub = &recurse_dir("$dirname/$item",$docroot,$numpub);
1.2 raeburn 293: }
294: }
295: }
296: return $numpub;
297: }
298:
1.1 raeburn 299: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>