loncom/lond - diff

Return to lond CVS log

Up to [LON-CAPA] / loncom

Diff for /loncom/lond between versions 1.532 and 1.536

version 1.532, 2017/02/28 05:42:06	version 1.536, 2017/05/09 03:04:21
Line 229 my %trust = (	Line 229 my %trust = (
dump => {remote => 1, enroll => 1, domroles => 1},	dump => {remote => 1, enroll => 1, domroles => 1},
edit => {institutiononly => 1}, #not used currently	edit => {institutiononly => 1}, #not used currently
eget => {remote => 1, domroles => 1, enroll => 1}, #not used currently	eget => {remote => 1, domroles => 1, enroll => 1}, #not used currently
	egetdom => {remote => 1, domroles => 1, enroll => 1, },
ekey => {}, #not used currently	ekey => {}, #not used currently
exit => {anywhere => 1},	exit => {anywhere => 1},
fetchuserfile => {remote => 1, enroll => 1},	fetchuserfile => {remote => 1, enroll => 1},
Line 265 my %trust = (	Line 266 my %trust = (
putstore => {remote => 1, enroll => 1},	putstore => {remote => 1, enroll => 1},
queryreply => {anywhere => 1},	queryreply => {anywhere => 1},
querysend => {anywhere => 1},	querysend => {anywhere => 1},
	querysend_activitylog => {remote => 1},
	querysend_allusers => {remote => 1, domroles => 1},
	querysend_courselog => {remote => 1},
	querysend_fetchenrollment => {remote => 1},
	querysend_getinstuser => {remote => 1},
	querysend_getmultinstusers => {remote => 1},
	querysend_instdirsearch => {remote => 1, domroles => 1, coaurem => 1},
	querysend_institutionalphotos => {remote => 1},
	querysend_portfolio_metadata => {remote => 1, content => 1},
	querysend_userlog => {remote => 1, domroles => 1},
	querysend_usersearch => {remote => 1, enroll => 1, coaurem => 1},
quit => {anywhere => 1},	quit => {anywhere => 1},
readlonnetglobal => {institutiononly => 1},	readlonnetglobal => {institutiononly => 1},
reinit => {manageronly => 1}, #not used currently	reinit => {manageronly => 1}, #not used currently
Line 2323 sub hash_passwd {	Line 2335 sub hash_passwd {
my $plainsalt = substr($rest[1],0,22);	my $plainsalt = substr($rest[1],0,22);
$salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt);	$salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt);
} else {	} else {
my $defaultcost;	my %domdefaults = &Apache::lonnet::get_domain_defaults($domain);
my %domconfig =	my $defaultcost = $domdefaults{'intauth_cost'};
&Apache::lonnet::get_dom('configuration',['password'],$domain);
if (ref($domconfig{'password'}) eq 'HASH') {
$defaultcost = $domconfig{'password'}{'cost'};
}
if (($defaultcost eq '') \|\| ($defaultcost =~ /D/)) {	if (($defaultcost eq '') \|\| ($defaultcost =~ /D/)) {
$cost = 10;	$cost = 10;
} else {	} else {
Line 3386 sub get_profile_entry {	Line 3394 sub get_profile_entry {
#	#
# Parameters:	# Parameters:
# $cmd - Command keyword of request (eget).	# $cmd - Command keyword of request (eget).
# $tail - Tail of the command. See GetProfileEntry # for more information about this.	# $tail - Tail of the command. See GetProfileEntry
	# for more information about this.
# $client - File open on the client.	# $client - File open on the client.
# Returns:	# Returns:
# 1 - Continue processing	# 1 - Continue processing
Line 3958 sub retrieve_chat_handler {	Line 3967 sub retrieve_chat_handler {
# serviced.	# serviced.
#	#
# Parameters:	# Parameters:
# $cmd - COmmand keyword that initiated the request.	# $cmd - Command keyword that initiated the request.
# $tail - Remainder of the command after the keyword.	# $tail - Remainder of the command after the keyword.
# For this function, this consists of a query and	# For this function, this consists of a query and
# 3 arguments that are self-documentingly labelled	# 3 arguments that are self-documentingly labelled
Line 3972 sub retrieve_chat_handler {	Line 3981 sub retrieve_chat_handler {
sub send_query_handler {	sub send_query_handler {
my ($cmd, $tail, $client) = @_;	my ($cmd, $tail, $client) = @_;


my $userinput = "$cmd:$tail";	my $userinput = "$cmd:$tail";

my ($query,$arg1,$arg2,$arg3)=split(/\:/,$tail);	my ($query,$arg1,$arg2,$arg3)=split(/\:/,$tail);
$query=~s/\n*$//g;	$query=~s/\n*$//g;
	if (($query eq 'usersearch') \|\| ($query eq 'instdirsearch')) {
	my $usersearchconf = &get_usersearch_config($currentdomainid,'directorysrch');
	my $earlyout;
	if (ref($usersearchconf) eq 'HASH') {
	if ($currentdomainid eq $clienthomedom) {
	if ($query eq 'usersearch') {
	if ($usersearchconf->{'lcavailable'} eq '0') {
	$earlyout = 1;
	}
	} else {
	if ($usersearchconf->{'available'} eq '0') {
	$earlyout = 1;
	}
	}
	} else {
	if ($query eq 'usersearch') {
	if ($usersearchconf->{'lclocalonly'}) {
	$earlyout = 1;
	}
	} else {
	if ($usersearchconf->{'localonly'}) {
	$earlyout = 1;
	}
	}
	}
	}
	if ($earlyout) {
	&Reply($client, "query_not_authorized\n");
	return 1;
	}
	}
&Reply($client, "". &sql_reply("$clientname\&$query".	&Reply($client, "". &sql_reply("$clientname\&$query".
"\&$arg1"."\&$arg2"."\&$arg3")."\n",	"\&$arg1"."\&$arg2"."\&$arg3")."\n",
$userinput);	$userinput);
Line 4839 sub get_domain_handler {	Line 4878 sub get_domain_handler {
my ($cmd, $tail, $client) = @_;	my ($cmd, $tail, $client) = @_;


my $userinput = "$client:$tail";	my $userinput = "$cmd:$tail";

	my ($udom,$namespace,$what)=split(/:/,$tail,3);
	chomp($what);
	if ($namespace =~ /^enc/) {
	&Failure( $client, "refused\n", $userinput);
	} else {
	my @queries=split(/\&/,$what);
	my $qresult='';
	my $hashref = &tie_domain_hash($udom, "$namespace", &GDBM_READER());
	if ($hashref) {
	for (my $i=0;$i<=$#queries;$i++) {
	$qresult.="$hashref->{$queries[$i]}&";
	}
	if (&untie_domain_hash($hashref)) {
	$qresult=~s/\&$//;
	&Reply($client, \$qresult, $userinput);
	} else {
	&Failure( $client, "error: ".($!+0)." untie(GDBM) Failed ".
	"while attempting getdom\n",$userinput);
	}
	} else {
	&Failure($client, "error: ".($!+0)." tie(GDBM) Failed ".
	"while attempting getdom\n",$userinput);
	}
	}

	return 1;
	}
	&register_handler("getdom", \&get_domain_handler, 0, 1, 0);

	sub encrypted_get_domain_handler {
	my ($cmd, $tail, $client) = @_;

	my $userinput = "$cmd:$tail";

my ($udom,$namespace,$what)=split(/:/,$tail,3);	my ($udom,$namespace,$what)=split(/:/,$tail,3);
chomp($what);	chomp($what);
Line 4852 sub get_domain_handler {	Line 4925 sub get_domain_handler {
}	}
if (&untie_domain_hash($hashref)) {	if (&untie_domain_hash($hashref)) {
$qresult=~s/\&$//;	$qresult=~s/\&$//;
&Reply($client, \$qresult, $userinput);	if ($cipher) {
	my $cmdlength=length($qresult);
	$qresult.=" ";
	my $encqresult='';
	for (my $encidx=0;$encidx<=$cmdlength;$encidx+=8) {
	$encqresult.= unpack("H16",
	$cipher->encrypt(substr($qresult,
	$encidx,
	8)));
	}
	&Reply( $client, "enc:$cmdlength:$encqresult\n", $userinput);
	} else {
	&Failure( $client, "error:no_key\n", $userinput);
	}
} else {	} else {
&Failure( $client, "error: ".($!+0)." untie(GDBM) Failed ".	&Failure( $client, "error: ".($!+0)." untie(GDBM) Failed ".
"while attempting getdom\n",$userinput);	"while attempting egetdom\n",$userinput);
}	}
} else {	} else {
&Failure($client, "error: ".($!+0)." tie(GDBM) Failed ".	&Failure($client, "error: ".($!+0)." tie(GDBM) Failed ".
"while attempting getdom\n",$userinput);	"while attempting egetdom\n",$userinput);
}	}

return 1;	return 1;
}	}
&register_handler("getdom", \&get_domain_handler, 0, 1, 0);	&register_handler("egetdom", \&encrypted_get_domain_handler, 1, 1, 0);

#	#
# Puts an id to a domains id database.	# Puts an id to a domains id database.
Line 5764 sub auto_export_grades_handler {	Line 5849 sub auto_export_grades_handler {
return 1;	return 1;
}	}
&register_handler("autoexportgrades", \&auto_export_grades_handler,	&register_handler("autoexportgrades", \&auto_export_grades_handler,
0, 1, 0);	1, 1, 0);

# Retrieve and remove temporary files created by/during autoenrollment.	# Retrieve and remove temporary files created by/during autoenrollment.
#	#
Line 6515 sub process_request {	Line 6600 sub process_request {
$ok = 0;	$ok = 0;
}	}
if ($ok) {	if ($ok) {
	my $realcommand = $command;
	if ($command eq 'querysend') {
	my ($query,$rest)=split(/\:/,$tail,2);
	$query=~s/\n*$//g;
	my @possqueries =
	qw(userlog courselog fetchenrollment institutionalphotos usersearch instdirsearch getinstuser getmultinstusers);
	if (grep(/^\Q$query\E$/,@possqueries)) {
	$command .= '_'.$query;
	} elsif ($query eq 'prepare activity log') {
	$command .= '_activitylog';
	}
	}
if (ref($trust{$command}) eq 'HASH') {	if (ref($trust{$command}) eq 'HASH') {
my $donechecks;	my $donechecks;
if ($trust{$command}{'anywhere'}) {	if ($trust{$command}{'anywhere'}) {
Line 6556 sub process_request {	Line 6653 sub process_request {
}	}
}	}
}	}
	$command = $realcommand;
}	}

if($ok) {	if($ok) {
Line 7372 sub make_new_child {	Line 7470 sub make_new_child {
."Attempted insecure connection disallowed </font>");	."Attempted insecure connection disallowed </font>");
close $client;	close $client;
$clientok = 0;	$clientok = 0;

}	}
}	}
} else {	} else {
Line 7381 sub make_new_child {	Line 7478 sub make_new_child {
."$clientip failed to initialize: >$remotereq< </font>");	."$clientip failed to initialize: >$remotereq< </font>");
&status('No init '.$clientip);	&status('No init '.$clientip);
}	}

} else {	} else {
&logthis(	&logthis(
"<font color='blue'>WARNING: Unknown client $clientip</font>");	"<font color='blue'>WARNING: Unknown client $clientip</font>");
Line 7618 sub password_filename {	Line 7714 sub password_filename {
# domain - domain of the user.	# domain - domain of the user.
# name - User's name.	# name - User's name.
# contents - New contents of the file.	# contents - New contents of the file.
	# saveold - (optional). If true save old file in a passwd.bak file.
# Returns:	# Returns:
# 0 - Failed.	# 0 - Failed.
# 1 - Success.	# 1 - Success.
#	#
sub rewrite_password_file {	sub rewrite_password_file {
my ($domain, $user, $contents) = @_;	my ($domain, $user, $contents, $saveold) = @_;

my $file = &password_filename($domain, $user);	my $file = &password_filename($domain, $user);
if (defined $file) {	if (defined $file) {
	if ($saveold) {
	my $bakfile = $file.'.bak';
	if (CopyFile($file,$bakfile)) {
	chmod(0400,$bakfile);
	&logthis("Old password saved in passwd.bak for internally authenticated user: $user:$domain");
	} else {
	&logthis("Failed to save old password in passwd.bak for internally authenticated user: $user:$domain");
	}
	}
my $pf = IO::File->new(">$file");	my $pf = IO::File->new(">$file");
if($pf) {	if($pf) {
print $pf "$contents\n";	print $pf "$contents\n";
Line 7717 sub validate_user {	Line 7823 sub validate_user {
$contentpwd = $domdefaults{'auth_arg_def'};	$contentpwd = $domdefaults{'auth_arg_def'};
}	}
}	}
}	}
if ($howpwd ne 'nouser') {	if ($howpwd ne 'nouser') {
if($howpwd eq "internal") { # Encrypted is in local password file.	if($howpwd eq "internal") { # Encrypted is in local password file.
if (length($contentpwd) == 13) {	if (length($contentpwd) == 13) {
$validated = (crypt($password,$contentpwd) eq $contentpwd);	$validated = (crypt($password,$contentpwd) eq $contentpwd);
if ($validated) {	if ($validated) {
my $ncpass = &hash_passwd($domain,$password);	my %domdefaults = &Apache::lonnet::get_domain_defaults($domain);
if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass")) {	if ($domdefaults{'intauth_switch'}) {
&update_passwd_history($user,$domain,$howpwd,'conversion');	my $ncpass = &hash_passwd($domain,$password);
&logthis("Validated password hashed with bcrypt for $user:$domain");	my $saveold;
	if ($domdefaults{'intauth_switch'} == 2) {
	$saveold = 1;
	}
	if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass",$saveold)) {
	&update_passwd_history($user,$domain,$howpwd,'conversion');
	&logthis("Validated password hashed with bcrypt for $user:$domain");
	}
}	}
}	}
} else {	} else {
$validated = &check_internal_passwd($password,$contentpwd,$domain);	$validated = &check_internal_passwd($password,$contentpwd,$domain,$user);
}	}
}	}
elsif ($howpwd eq "unix") { # User is a normal unix user.	elsif ($howpwd eq "unix") { # User is a normal unix user.
Line 7800 sub validate_user {	Line 7913 sub validate_user {
}	}

sub check_internal_passwd {	sub check_internal_passwd {
my ($plainpass,$stored,$domain) = @_;	my ($plainpass,$stored,$domain,$user) = @_;
my (undef,$method,@rest) = split(/!/,$stored);	my (undef,$method,@rest) = split(/!/,$stored);
if ($method eq "bcrypt") {	if ($method eq 'bcrypt') {
my $result = &hash_passwd($domain,$plainpass,@rest);	my $result = &hash_passwd($domain,$plainpass,@rest);
if ($result ne $stored) {	if ($result ne $stored) {
return 0;	return 0;
}	}
# Upgrade to a larger number of rounds if necessary	my %domdefaults = &Apache::lonnet::get_domain_defaults($domain);
my $defaultcost;	if ($domdefaults{'intauth_check'}) {
my %domconfig =	# Upgrade to a larger number of rounds if necessary
&Apache::lonnet::get_dom('configuration',['password'],$domain);	my $defaultcost = $domdefaults{'intauth_cost'};
if (ref($domconfig{'password'}) eq 'HASH') {	if (($defaultcost eq '') \|\| ($defaultcost =~ /D/)) {
$defaultcost = $domconfig{'password'}{'cost'};	$defaultcost = 10;
}	}
if (($defaultcost eq '') \|\| ($defaultcost =~ /D/)) {	if (int($rest[0])<int($defaultcost)) {
$defaultcost = 10;	if ($domdefaults{'intauth_check'} == 1) {
	my $ncpass = &hash_passwd($domain,$plainpass);
	if (&rewrite_password_file($domain,$user,"internal:$ncpass")) {
	&update_passwd_history($user,$domain,'internal','update cost');
	&logthis("Validated password hashed with bcrypt for $user:$domain");
	}
	return 1;
	} elsif ($domdefaults{'intauth_check'} == 2) {
	return 0;
	}
	}
	} else {
	return 1;
}	}
return 1 unless($rest[0]<$defaultcost);
}	}
return 0;	return 0;
}	}
Line 8244 sub get_usersession_config {	Line 8368 sub get_usersession_config {
}	}
return;	return;
}	}

	sub get_usersearch_config {
	my ($dom,$name) = @_;
	my ($usersearchconf,$cached)=&Apache::lonnet::is_cached_new($name,$dom);
	if (defined($cached)) {
	return $usersearchconf;
	} else {
	my %domconfig = &Apache::lonnet::get_dom('configuration',['directorysrch'],$dom);
	&Apache::lonnet::do_cache_new($name,$dom,$domconfig{'directorysrch'},600);
	return $domconfig{'directorysrch'};
	}
	return;
	}

sub get_prohibited {	sub get_prohibited {
my ($dom) = @_;	my ($dom) = @_;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.532
changed lines
	Added in v.1.536