--- loncom/lond	2003/08/25 15:33:47	1.139
+++ loncom/lond	2003/08/26 11:15:57	1.140
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.139 2003/08/25 15:33:47 albertel Exp $
+# $Id: lond,v 1.140 2003/08/26 11:15:57 foxr Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -81,12 +81,14 @@ my $DEBUG = 0;		       # Non zero to ena
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.139 $'; #' stupid emacs
+my $VERSION='$Revision: 1.140 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid;
 my $currentdomainid;
 
 my $client;
+my $clientip;
+
 my $server;
 my $thisserver;
 
@@ -133,6 +135,44 @@ my @adderrors    = ("ok",
 
 
 #
+#   GetCertificate: Given a transaction that requires a certificate,
+#   this function will extract the certificate from the transaction
+#   request.  Note that at this point, the only concept of a certificate
+#   is the hostname to which we are connected.
+#
+#   Parameter:
+#      request   - The request sent by our client (this parameterization may
+#                  need to change when we really use a certificate granting
+#                  authority.
+#
+sub GetCertificate {
+    my $request = shift;
+
+    return $clientip;
+}
+
+
+#
+#  ValidManager: Determines if a given certificate represents a valid manager.
+#                in this primitive implementation, the 'certificate' is
+#                just the connecting loncapa client name.  This is checked
+#                against a valid client list in the configuration.
+#
+#                  
+sub ValidManager {
+    my $certificate = shift; 
+
+    my $hostentry   = $hostid{$certificate};
+    if ($hostentry ne undef) {
+	&logthis('<font color="yellow">Authenticating manager'.
+		 " $hostentry</font>");
+	return 1;
+    } else {
+	&logthis('<font color="red"> Failed manager authentication '.
+		 "$certificate </font>");
+    }
+}
+#
 #  Convert an error return code from lcpasswd to a string value.
 #
 sub lcpasswdstrerror {
@@ -534,7 +574,6 @@ sub make_new_child {
     sigprocmask(SIG_BLOCK, $sigset)
         or die "Can't block SIGINT for fork: $!\n";
 
-    my $clientip;
     die "fork: $!" unless defined ($pid = fork);
     
     if ($pid) {
@@ -703,10 +742,28 @@ sub make_new_child {
 		     }
 #--------------------------------------------------------------------- pushfile
 		   } elsif($userinput =~ /^pushfile/) { 
-		       print $client "ok\n";
+		       if($wasenc == 1) {
+			   my $cert = GetCertificate($userinput);
+			   if(ValidManager($cert)) {
+			       print $client "ok\n";
+			   } else {
+			       print $client "refused\n";
+			   } 
+		       } else {
+			   print $client "refused\n";
+		       }
 #--------------------------------------------------------------------- reinit
 		   } elsif($userinput =~ /^reinit/) {
-		       print $client "ok\n";
+		       if ($wasenc == 1) {
+			   my $cert = GetCertificate($userinput);
+			   if(ValidManager($cert)) {
+			       print $client "ok\n";
+			   } else {
+			       print $client "refused\n";
+			   }
+		       } else {
+			   print $client "refused\n";
+		       }
 # ------------------------------------------------------------------------ auth
                    } elsif ($userinput =~ /^auth/) {
 		     if ($wasenc==1) {