--- loncom/lond 2014/11/24 02:36:16 1.512
+++ loncom/lond 2016/08/11 16:35:14 1.524
@@ -2,7 +2,7 @@
# The LearningOnline Network
# lond "LON Daemon" Server (port "LOND" 5663)
#
-# $Id: lond,v 1.512 2014/11/24 02:36:16 raeburn Exp $
+# $Id: lond,v 1.524 2016/08/11 16:35:14 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -41,7 +41,7 @@ use IO::File;
#use Apache::File;
use POSIX;
use Crypt::IDEA;
-use LWP::UserAgent();
+use HTTP::Request;
use Digest::MD5 qw(md5_hex);
use GDBM_File;
use Authen::Krb5;
@@ -55,13 +55,17 @@ use LONCAPA::lonssl;
use Fcntl qw(:flock);
use Apache::lonnet;
use Mail::Send;
+use Crypt::Eksblowfish::Bcrypt;
+use Digest::SHA;
+use Encode;
+use LONCAPA::LWPReq;
my $DEBUG = 0; # Non zero to enable debug log entries.
my $status='';
my $lastlog='';
-my $VERSION='$Revision: 1.512 $'; #' stupid emacs
+my $VERSION='$Revision: 1.524 $'; #' stupid emacs
my $remoteVERSION;
my $currenthostid="default";
my $currentdomainid;
@@ -664,10 +668,8 @@ sub PushFile {
$clientprotocol = 'http' if ($clientprotocol ne 'https');
my $url = '/adm/'.$filename;
$url =~ s{_}{/};
- my $ua=new LWP::UserAgent;
- $ua->timeout(60);
my $request=new HTTP::Request('GET',"$clientprotocol://$clienthost$url");
- my $response=$ua->request($request);
+ my $response = LONCAPA::LWPReq::makerequest($clientname,$request,'',\%perlvar,60,0);
if ($response->is_error()) {
&logthis('<font color="red"> Pushfile: unable to install '
.$tablefile." - error attempting to pull data. </font>");
@@ -1794,6 +1796,16 @@ sub server_distarch_handler {
}
®ister_handler("serverdistarch", \&server_distarch_handler, 0, 1, 0);
+sub server_certs_handler {
+ my ($cmd,$tail,$client) = @_;
+ my $userinput = "$cmd:$tail";
+ my $result;
+ my $result = &LONCAPA::Lond::server_certs(\%perlvar);
+ &Reply($client,\$result,$userinput);
+ return;
+}
+®ister_handler("servercerts", \&server_certs_handler, 0, 1, 0);
+
# Process a reinit request. Reinit requests that either
# lonc or lond be reinitialized so that an updated
# host.tab or domain.tab can be processed.
@@ -2013,15 +2025,14 @@ sub change_password_handler {
my ($howpwd,$contentpwd)=split(/:/,$realpasswd);
if ($howpwd eq 'internal') {
&Debug("internal auth");
- my $salt=time;
- $salt=substr($salt,6,2);
- my $ncpass=crypt($npass,$salt);
+ my $ncpass = &hash_passwd($udom,$npass);
if(&rewrite_password_file($udom, $uname, "internal:$ncpass")) {
my $msg="Result of password change for $uname: pwchange_success";
if ($lonhost) {
$msg .= " - request originated from: $lonhost";
}
&logthis($msg);
+ &update_passwd_history($uname,$udom,$howpwd,$context);
&Reply($client, "ok\n", $userinput);
} else {
&logthis("Unable to open $uname passwd "
@@ -2030,6 +2041,9 @@ sub change_password_handler {
}
} elsif ($howpwd eq 'unix' && $context ne 'reset_by_email') {
my $result = &change_unix_password($uname, $npass);
+ if ($result eq 'ok') {
+ &update_passwd_history($uname,$udom,$howpwd,$context);
+ }
&logthis("Result of password change for $uname: ".
$result);
&Reply($client, \$result, $userinput);
@@ -2052,6 +2066,42 @@ sub change_password_handler {
}
®ister_handler("passwd", \&change_password_handler, 1, 1, 0);
+sub hash_passwd {
+ my ($domain,$plainpass,@rest) = @_;
+ my ($salt,$cost);
+ if (@rest) {
+ $cost = $rest[0];
+ # salt is first 22 characters, base-64 encoded by bcrypt
+ my $plainsalt = substr($rest[1],0,22);
+ $salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt);
+ } else {
+ my $defaultcost;
+ my %domconfig =
+ &Apache::lonnet::get_dom('configuration',['password'],$domain);
+ if (ref($domconfig{'password'}) eq 'HASH') {
+ $defaultcost = $domconfig{'password'}{'cost'};
+ }
+ if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
+ $cost = 10;
+ } else {
+ $cost = $defaultcost;
+ }
+ # Generate random 16-octet base64 salt
+ $salt = "";
+ $salt .= pack("C", int rand(256)) for 1..16;
+ }
+ my $hash = &Crypt::Eksblowfish::Bcrypt::bcrypt_hash({
+ key_nul => 1,
+ cost => $cost,
+ salt => $salt,
+ }, Digest::SHA::sha512(Encode::encode('UTF-8',$plainpass)));
+
+ my $result = join("!", "", "bcrypt", sprintf("%02d",$cost),
+ &Crypt::Eksblowfish::Bcrypt::en_base64($salt).
+ &Crypt::Eksblowfish::Bcrypt::en_base64($hash));
+ return $result;
+}
+
#
# Create a new user. User in this case means a lon-capa user.
# The user must either already exist in some authentication realm
@@ -2095,7 +2145,8 @@ sub add_user_handler {
."makeuser";
}
unless ($fperror) {
- my $result=&make_passwd_file($uname,$udom,$umode,$npass, $passfilename);
+ my $result=&make_passwd_file($uname,$udom,$umode,$npass,
+ $passfilename,'makeuser');
&Reply($client,\$result, $userinput); #BUGBUG - could be fail
} else {
&Failure($client, \$fperror, $userinput);
@@ -2164,12 +2215,14 @@ sub change_authentication_handler {
my $result = &change_unix_password($uname, $npass);
&logthis("Result of password change for $uname: ".$result);
if ($result eq "ok") {
+ &update_passwd_history($uname,$udom,$umode,'changeuserauth');
&Reply($client, \$result);
} else {
&Failure($client, \$result);
}
} else {
- my $result=&make_passwd_file($uname,$udom,$umode,$npass,$passfilename);
+ my $result=&make_passwd_file($uname,$udom,$umode,$npass,
+ $passfilename,'changeuserauth');
#
# If the current auth mode is internal, and the old auth mode was
# unix, or krb*, and the user is an author for this domain,
@@ -2190,6 +2243,17 @@ sub change_authentication_handler {
}
®ister_handler("changeuserauth", \&change_authentication_handler, 1,1, 0);
+sub update_passwd_history {
+ my ($uname,$udom,$umode,$context) = @_;
+ my $proname=&propath($udom,$uname);
+ my $now = time;
+ if (open(my $fh,">>$proname/passwd.log")) {
+ print $fh "$now:$umode:$context\n";
+ close($fh);
+ }
+ return;
+}
+
#
# Determines if this is the home server for a user. The home server
# for a user will have his/her lon-capa passwd file. Therefore all we need
@@ -2276,9 +2340,8 @@ sub update_resource_handler {
# FIXME: this should use the LWP mechanism, not internal alarms.
alarm(1200);
{
- my $ua=new LWP::UserAgent;
my $request=new HTTP::Request('GET',"$remoteurl");
- $response=$ua->request($request,$transname);
+ $response=&LONCAPA::LWPReq::makerequest($clientname,$request,$transname,\%perlvar,1200,0,1);
}
alarm(0);
if ($response->is_error()) {
@@ -2291,9 +2354,8 @@ sub update_resource_handler {
# FIXME: isn't there an internal LWP mechanism for this?
alarm(120);
{
- my $ua=new LWP::UserAgent;
my $mrequest=new HTTP::Request('GET',$remoteurl.'.meta');
- my $mresponse=$ua->request($mrequest,$fname.'.meta');
+ my $mresponse = &LONCAPA::LWPReq::makerequest($clientname,$mrequest,$fname.'.meta',\%perlvar,120,0,1);
if ($mresponse->is_error()) {
unlink($fname.'.meta');
}
@@ -2368,11 +2430,15 @@ sub fetch_user_file_handler {
my $remoteurl=$clientprotocol.'://'.$clienthost.'/userfiles/'.$fname;
my $response;
Debug("Remote URL : $remoteurl Transfername $transname Destname: $destname");
- alarm(120);
+ alarm(1200);
{
- my $ua=new LWP::UserAgent;
my $request=new HTTP::Request('GET',"$remoteurl");
- $response=$ua->request($request,$transname);
+ my $verifycert = 1;
+ my @machine_ids = &Apache::lonnet::current_machine_ids();
+ if (grep(/^\Q$clientname\E$/,@machine_ids)) {
+ $verifycert = 0;
+ }
+ $response = &LONCAPA::LWPReq::makerequest($clientname,$request,$transname,\%perlvar,1200,$verifycert);
}
alarm(0);
if ($response->is_error()) {
@@ -2441,11 +2507,20 @@ sub remove_user_file_handler {
if (-e $file) {
#
# If the file is a regular file unlink is fine...
- # However it's possible the client wants a dir.
- # removed, in which case rmdir is more approprate:
+ # However it's possible the client wants a dir
+ # removed, in which case rmdir is more appropriate.
+ # Note: rmdir will only remove an empty directory.
#
if (-f $file){
unlink($file);
+ # for html files remove the associated .bak file
+ # which may have been created by the editor.
+ if ($ufile =~ m{^((docs|supplemental)/(?:\d+|default)/\d+(?:|/.+)/)[^/]+\.x?html?$}i) {
+ my $path = $1;
+ if (-e $file.'.bak') {
+ unlink($file.'.bak');
+ }
+ }
} elsif(-d $file) {
rmdir($file);
}
@@ -2808,8 +2883,12 @@ sub newput_user_profile_entry {
foreach my $pair (@pairs) {
my ($key,$value)=split(/=/,$pair);
if (exists($hashref->{$key})) {
- &Failure($client, "key_exists: ".$key."\n",$userinput);
- return 1;
+ if (!&untie_user_hash($hashref)) {
+ &logthis("error: ".($!+0)." untie (GDBM) failed ".
+ "while attempting newput - early out as key exists");
+ }
+ &Failure($client, "key_exists: ".$key."\n",$userinput);
+ return 1;
}
}
@@ -4373,6 +4452,122 @@ sub put_domain_handler {
}
®ister_handler("putdom", \&put_domain_handler, 0, 1, 0);
+# Updates one or more entries in clickers.db file at the domain level
+#
+# Parameters:
+# $cmd - The command that got us here.
+# $tail - Tail of the command (remaining parameters).
+# In this case a colon separated list containing:
+# (a) the domain for which we are updating the entries,
+# (b) the action required -- add or del -- and
+# (c) a &-separated list of entries to add or delete.
+# $client - File descriptor connected to client.
+# Returns
+# 1 - Continue processing.
+# 0 - Requested to exit, caller should shut down.
+# Side effects:
+# reply is written to $client.
+#
+
+
+sub update_clickers {
+ my ($cmd, $tail, $client) = @_;
+
+ my $userinput = "$cmd:$tail";
+ my ($udom,$action,$what) =split(/:/,$tail,3);
+ chomp($what);
+
+ my $hashref = &tie_domain_hash($udom, "clickers", &GDBM_WRCREAT(),
+ "U","$action:$what");
+
+ if (!$hashref) {
+ &Failure( $client, "error: ".($!+0)." tie(GDBM) Failed ".
+ "while attempting updateclickers\n", $userinput);
+ return 1;
+ }
+
+ my @pairs=split(/\&/,$what);
+ foreach my $pair (@pairs) {
+ my ($key,$value)=split(/=/,$pair);
+ if ($action eq 'add') {
+ if (exists($hashref->{$key})) {
+ my @newvals = split(/,/,&unescape($value));
+ my @currvals = split(/,/,&unescape($hashref->{$key}));
+ my @merged = sort(keys(%{{map { $_ => 1 } (@newvals,@currvals)}}));
+ $hashref->{$key}=&escape(join(',',@merged));
+ } else {
+ $hashref->{$key}=$value;
+ }
+ } elsif ($action eq 'del') {
+ if (exists($hashref->{$key})) {
+ my %current;
+ map { $current{$_} = 1; } split(/,/,&unescape($hashref->{$key}));
+ map { delete($current{$_}); } split(/,/,&unescape($value));
+ if (keys(%current)) {
+ $hashref->{$key}=&escape(join(',',sort(keys(%current))));
+ } else {
+ delete($hashref->{$key});
+ }
+ }
+ }
+ }
+ if (&untie_user_hash($hashref)) {
+ &Reply( $client, "ok\n", $userinput);
+ } else {
+ &Failure($client, "error: ".($!+0)." untie(GDBM) failed ".
+ "while attempting put\n",
+ $userinput);
+ }
+ return 1;
+}
+®ister_handler("updateclickers", \&update_clickers, 0, 1, 0);
+
+
+# Deletes one or more entries in a namespace db file at the domain level
+#
+# Parameters:
+# $cmd - The command that got us here.
+# $tail - Tail of the command (remaining parameters).
+# In this case a colon separated list containing:
+# (a) the domain for which we are deleting the entries,
+# (b) &-separated list of keys to delete.
+# $client - File descriptor connected to client.
+# Returns
+# 1 - Continue processing.
+# 0 - Requested to exit, caller should shut down.
+# Side effects:
+# reply is written to $client.
+#
+
+sub del_domain_handler {
+ my ($cmd,$tail,$client) = @_;
+
+ my $userinput = "$cmd:$tail";
+
+ my ($udom,$namespace,$what)=split(/:/,$tail,3);
+ chomp($what);
+ my $hashref = &tie_domain_hash($udom,$namespace,&GDBM_WRCREAT(),
+ "D", $what);
+ if ($hashref) {
+ my @keys=split(/\&/,$what);
+ foreach my $key (@keys) {
+ delete($hashref->{$key});
+ }
+ if (&untie_user_hash($hashref)) {
+ &Reply($client, "ok\n", $userinput);
+ } else {
+ &Failure($client, "error: ".($!+0)." untie(GDBM) Failed ".
+ "while attempting deldom\n", $userinput);
+ }
+ } else {
+ &Failure( $client, "error: ".($!+0)." tie(GDBM) Failed ".
+ "while attempting deldom\n", $userinput);
+ }
+ return 1;
+}
+®ister_handler("deldom", \&del_domain_handler, 0, 1, 0);
+
+
# Unencrypted get from the namespace database file at the domain level.
# This function retrieves a keyed item from a specific named database in the
# domain directory.
@@ -5278,6 +5473,51 @@ sub create_auto_enroll_password_handler
®ister_handler("autocreatepassword", \&create_auto_enroll_password_handler,
0, 1, 0);
+sub auto_export_grades_handler {
+ my ($cmd, $tail, $client) = @_;
+ my $userinput = "$cmd:$tail";
+ my ($cdom,$cnum,$info,$data) = split(/:/,$tail);
+ my $inforef = &Apache::lonnet::thaw_unescape($info);
+ my $dataref = &Apache::lonnet::thaw_unescape($data);
+ my ($outcome,$result);;
+ eval {
+ local($SIG{__DIE__})='DEFAULT';
+ my %rtnhash;
+ $outcome=&localenroll::export_grades($cdom,$cnum,$inforef,$dataref,\%rtnhash);
+ if ($outcome eq 'ok') {
+ foreach my $key (keys(%rtnhash)) {
+ $result .= &escape($key).'='.&Apache::lonnet::freeze_escape($rtnhash{$key}).'&';
+ }
+ $result =~ s/\&$//;
+ }
+ };
+ if (!$@) {
+ if ($outcome eq 'ok') {
+ if ($cipher) {
+ my $cmdlength=length($result);
+ $result.=" ";
+ my $encresult='';
+ for (my $encidx=0;$encidx<=$cmdlength;$encidx+=8) {
+ $encresult.= unpack("H16",
+ $cipher->encrypt(substr($result,
+ $encidx,
+ 8)));
+ }
+ &Reply( $client, "enc:$cmdlength:$encresult\n", $userinput);
+ } else {
+ &Failure( $client, "error:no_key\n", $userinput);
+ }
+ } else {
+ &Reply($client, "$outcome\n", $userinput);
+ }
+ } else {
+ &Failure($client,"export_error\n",$userinput);
+ }
+ return 1;
+}
+®ister_handler("autoexportgrades", \&auto_export_grades_handler,
+ 0, 1, 0);
+
# Retrieve and remove temporary files created by/during autoenrollment.
#
# Formal Parameters:
@@ -5298,7 +5538,10 @@ sub retrieve_auto_file_handler {
my ($filename) = split(/:/, $tail);
my $source = $perlvar{'lonDaemons'}.'/tmp/'.$filename;
- if ( (-e $source) && ($filename ne '') ) {
+
+ if ($filename =~m{/\.\./}) {
+ &Failure($client, "refused\n", $userinput);
+ } elsif ( (-e $source) && ($filename ne '') ) {
my $reply = '';
if (open(my $fh,$source)) {
while (<$fh>) {
@@ -5330,7 +5573,7 @@ sub crsreq_checks_handler {
my $userinput = "$cmd:$tail";
my $dom = $tail;
my $result;
- my @reqtypes = ('official','unofficial','community','textbook');
+ my @reqtypes = ('official','unofficial','community','textbook','placement');
eval {
local($SIG{__DIE__})='DEFAULT';
my %validations;
@@ -5406,7 +5649,7 @@ sub crsreq_update_handler {
$title,$code,$accessstart,$accessend,
$incoming,\%rtnhash);
if ($outcome eq 'ok') {
- my @posskeys = qw(createdweb createdmsg queuedweb queuedmsg formitems reviewweb);
+ my @posskeys = qw(createdweb createdmsg createdcustomized createdactions queuedweb queuedmsg formitems reviewweb validationjs onload javascript);
foreach my $key (keys(%rtnhash)) {
if (grep(/^\Q$key\E/,@posskeys)) {
$result .= &escape($key).'='.&Apache::lonnet::freeze_escape($rtnhash{$key}).'&';
@@ -6625,7 +6868,7 @@ sub make_new_child {
&Authen::Krb5::init_context();
my $no_ets;
- if ($dist =~ /^(?:centos|rhes)(\d+)$/) {
+ if ($dist =~ /^(?:centos|rhes|scientific)(\d+)$/) {
if ($1 >= 7) {
$no_ets = 1;
}
@@ -6633,6 +6876,10 @@ sub make_new_child {
if (($1 eq '9.3') || ($1 >= 12.2)) {
$no_ets = 1;
}
+ } elsif ($dist =~ /^sles(\d+)$/) {
+ if ($1 > 11) {
+ $no_ets = 1;
+ }
} elsif ($dist =~ /^fedora(\d+)$/) {
if ($1 < 7) {
$no_ets = 1;
@@ -6683,7 +6930,6 @@ sub make_new_child {
#
# If the remote is attempting a local init... give that a try:
#
- logthis("remotereq: $remotereq");
(my $i, my $inittype, $clientversion) = split(/:/, $remotereq);
# For LON-CAPA 2.9, the client session will have sent its LON-CAPA
# version when initiating the connection. For LON-CAPA 2.8 and older,
@@ -7024,7 +7270,18 @@ sub validate_user {
}
if ($howpwd ne 'nouser') {
if($howpwd eq "internal") { # Encrypted is in local password file.
- $validated = (crypt($password, $contentpwd) eq $contentpwd);
+ if (length($contentpwd) == 13) {
+ $validated = (crypt($password,$contentpwd) eq $contentpwd);
+ if ($validated) {
+ my $ncpass = &hash_passwd($domain,$password);
+ if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass")) {
+ &update_passwd_history($user,$domain,$howpwd,'conversion');
+ &logthis("Validated password hashed with bcrypt for $user:$domain");
+ }
+ }
+ } else {
+ $validated = &check_internal_passwd($password,$contentpwd,$domain);
+ }
}
elsif ($howpwd eq "unix") { # User is a normal unix user.
$contentpwd = (getpwnam($user))[1];
@@ -7092,6 +7349,39 @@ sub validate_user {
return $validated;
}
+sub check_internal_passwd {
+ my ($plainpass,$stored,$domain) = @_;
+ my (undef,$method,@rest) = split(/!/,$stored);
+ if ($method eq "bcrypt") {
+ my $result = &hash_passwd($domain,$plainpass,@rest);
+ if ($result ne $stored) {
+ return 0;
+ }
+ # Upgrade to a larger number of rounds if necessary
+ my $defaultcost;
+ my %domconfig =
+ &Apache::lonnet::get_dom('configuration',['password'],$domain);
+ if (ref($domconfig{'password'}) eq 'HASH') {
+ $defaultcost = $domconfig{'password'}{'cost'};
+ }
+ if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
+ $defaultcost = 10;
+ }
+ return 1 unless($rest[0]<$defaultcost);
+ }
+ return 0;
+}
+
+sub get_last_authchg {
+ my ($domain,$user) = @_;
+ my $lastmod;
+ my $logname = &propath($domain,$user).'/passwd.log';
+ if (-e "$logname") {
+ $lastmod = (stat("$logname"))[9];
+ }
+ return $lastmod;
+}
+
sub krb4_authen {
my ($password,$null,$user,$contentpwd) = @_;
my $validated = 0;
@@ -7407,26 +7697,26 @@ sub change_unix_password {
sub make_passwd_file {
- my ($uname,$udom,$umode,$npass,$passfilename)=@_;
+ my ($uname,$udom,$umode,$npass,$passfilename,$action)=@_;
my $result="ok";
if ($umode eq 'krb4' or $umode eq 'krb5') {
{
my $pf = IO::File->new(">$passfilename");
if ($pf) {
print $pf "$umode:$npass\n";
+ &update_passwd_history($uname,$udom,$umode,$action);
} else {
$result = "pass_file_failed_error";
}
}
} elsif ($umode eq 'internal') {
- my $salt=time;
- $salt=substr($salt,6,2);
- my $ncpass=crypt($npass,$salt);
+ my $ncpass = &hash_passwd($udom,$npass);
{
&Debug("Creating internal auth");
my $pf = IO::File->new(">$passfilename");
if($pf) {
- print $pf "internal:$ncpass\n";
+ print $pf "internal:$ncpass\n";
+ &update_passwd_history($uname,$udom,$umode,$action);
} else {
$result = "pass_file_failed_error";
}
@@ -7436,6 +7726,7 @@ sub make_passwd_file {
my $pf = IO::File->new(">$passfilename");
if($pf) {
print $pf "localauth:$npass\n";
+ &update_passwd_history($uname,$udom,$umode,$action);
} else {
$result = "pass_file_failed_error";
}
@@ -7692,7 +7983,7 @@ Allow for a password to be set.
Make a user.
-=item passwd
+=item changeuserauth
Allow for authentication mechanism and password to be changed.
@@ -7781,6 +8072,10 @@ for each student, defined perhaps by the
Returns usernames corresponding to IDs. (These "IDs" are unique identifiers
for each student, defined perhaps by the institutional Registrar.)
+=item iddel
+
+Deletes one or more ids in a domain's id database.
+
=item tmpput
Accept and store information in temporary space.