--- loncom/lond 2020/10/26 03:47:15 1.489.2.39
+++ loncom/lond 2016/09/27 15:58:59 1.530
@@ -2,7 +2,7 @@
# The LearningOnline Network
# lond "LON Daemon" Server (port "LOND" 5663)
#
-# $Id: lond,v 1.489.2.39 2020/10/26 03:47:15 raeburn Exp $
+# $Id: lond,v 1.530 2016/09/27 15:58:59 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -40,7 +40,7 @@ use IO::File;
#use Apache::File;
use POSIX;
use Crypt::IDEA;
-use LWP::UserAgent();
+use HTTP::Request;
use Digest::MD5 qw(md5_hex);
use GDBM_File;
use Authen::Krb5;
@@ -57,13 +57,14 @@ use Mail::Send;
use Crypt::Eksblowfish::Bcrypt;
use Digest::SHA;
use Encode;
+use LONCAPA::LWPReq;
my $DEBUG = 0; # Non zero to enable debug log entries.
my $status='';
my $lastlog='';
-my $VERSION='$Revision: 1.489.2.39 $'; #' stupid emacs
+my $VERSION='$Revision: 1.530 $'; #' stupid emacs
my $remoteVERSION;
my $currenthostid="default";
my $currentdomainid;
@@ -73,8 +74,14 @@ my $clientip; # IP address of client.
my $clientname; # LonCAPA name of client.
my $clientversion; # LonCAPA version running on client.
my $clienthomedom; # LonCAPA domain of homeID for client.
- # primary library server.
-
+my $clientintdom; # LonCAPA "internet domain" for client.
+my $clientsameinst; # LonCAPA "internet domain" same for
+ # this host and client.
+my $clientremoteok; # Client allowed to host domain's users.
+ # (version constraints ignored), not set
+ # if this host and client share "internet domain".
+my %clientprohibited; # Actions prohibited on client;
+
my $server;
my $keymode;
@@ -144,6 +151,145 @@ my @installerrors = ("ok",
);
#
+# The %trust hash classifies commands according to type of trust
+# required for execution of the command.
+#
+# When clients from a different institution request execution of a
+# particular command, the trust settings for that institution set
+# for this domain (or default domain for a multi-domain server) will
+# be checked to see if running the command is allowed.
+#
+# Trust types which depend on the "Trust" domain configuration
+# for the machine's default domain are:
+#
+# content ("Access to this domain's content by others")
+# shared ("Access to other domain's content by this domain")
+# enroll ("Enrollment in this domain's courses by others")
+# coaurem ("Co-author roles for this domain's users elsewhere")
+# domroles ("Domain roles in this domain assignable to others")
+# catalog ("Course Catalog for this domain displayed elsewhere")
+# reqcrs ("Requests for creation of courses in this domain by others")
+# msg ("Users in other domains can send messages to this domain")
+#
+# Trust type which depends on the User Session Hosting (remote)
+# domain configuration for machine's default domain is: "remote".
+#
+# Trust types which depend on contents of manager.tab in
+# /home/httpd/lonTabs is: "manageronly".
+#
+# Trust type which requires client to share the same LON-CAPA
+# "internet domain" (i.e., same institution as this server) is:
+# "institutiononly".
+#
+
+my %trust = (
+ auth => {remote => 1},
+ autocreatepassword => {remote => 1},
+ autocrsreqchecks => {remote => 1, reqcrs => 1},
+ autocrsrequpdate => {remote => 1},
+ autocrsreqvalidation => {remote => 1},
+ autogetsections => {remote => 1},
+ autoinstcodedefaults => {remote => 1, catalog => 1},
+ autoinstcodeformat => {remote => 1, catalog => 1},
+ autonewcourse => {remote => 1, reqcrs => 1},
+ autophotocheck => {remote => 1, enroll => 1},
+ autophotochoice => {remote => 1},
+ autophotopermission => {remote => 1, enroll => 1},
+ autopossibleinstcodes => {remote => 1, reqcrs => 1},
+ autoretrieve => {remote => 1, enroll => 1, catalog => 1},
+ autorun => {remote => 1, enroll => 1, reqcrs => 1},
+ autovalidateclass_sec => {catalog => 1},
+ autovalidatecourse => {remote => 1, enroll => 1},
+ autovalidateinstcode => {domroles => 1, remote => 1, enroll => 1},
+ changeuserauth => {remote => 1, domroles => 1},
+ chatretr => {remote => 1, enroll => 1},
+ chatsend => {remote => 1, enroll => 1},
+ courseiddump => {remote => 1, domroles => 1, enroll => 1},
+ courseidput => {remote => 1, domroles => 1, enroll => 1},
+ courseidputhash => {remote => 1, domroles => 1, enroll => 1},
+ courselastaccess => {remote => 1, domroles => 1, enroll => 1},
+ currentauth => {remote => 1, domroles => 1, enroll => 1},
+ currentdump => {remote => 1, enroll => 1},
+ currentversion => {remote=> 1, content => 1},
+ dcmaildump => {remote => 1, domroles => 1},
+ dcmailput => {remote => 1, domroles => 1},
+ del => {remote => 1, domroles => 1, enroll => 1, content => 1},
+ deldom => {remote => 1, domroles => 1}, # not currently used
+ devalidatecache => {institutiononly => 1},
+ domroleput => {remote => 1, enroll => 1},
+ domrolesdump => {remote => 1, catalog => 1},
+ du => {remote => 1, enroll => 1},
+ du2 => {remote => 1, enroll => 1},
+ dump => {remote => 1, enroll => 1, domroles => 1},
+ edit => {institutiononly => 1}, #not used currently
+ eget => {remote => 1, domroles => 1, enroll => 1}, #not used currently
+ ekey => {}, #not used currently
+ exit => {anywhere => 1},
+ fetchuserfile => {remote => 1, enroll => 1},
+ get => {remote => 1, domroles => 1, enroll => 1},
+ getdom => {anywhere => 1},
+ home => {anywhere => 1},
+ iddel => {remote => 1, enroll => 1},
+ idget => {remote => 1, enroll => 1},
+ idput => {remote => 1, domroles => 1, enroll => 1},
+ inc => {remote => 1, enroll => 1},
+ init => {anywhere => 1},
+ inst_usertypes => {remote => 1, domroles => 1, enroll => 1},
+ instemailrules => {remote => 1, domroles => 1},
+ instidrulecheck => {remote => 1, domroles => 1,},
+ instidrules => {remote => 1, domroles => 1,},
+ instrulecheck => {remote => 1, enroll => 1, reqcrs => 1, domroles => 1},
+ instselfcreatecheck => {institutiononly => 1},
+ instuserrules => {remote => 1, enroll => 1, reqcrs => 1, domroles => 1},
+ keys => {remote => 1,},
+ load => {anywhere => 1},
+ log => {anywhere => 1},
+ ls => {remote => 1, enroll => 1, content => 1,},
+ ls2 => {remote => 1, enroll => 1, content => 1,},
+ ls3 => {remote => 1, enroll => 1, content => 1,},
+ makeuser => {remote => 1, enroll => 1, domroles => 1,},
+ mkdiruserfile => {remote => 1, enroll => 1,},
+ newput => {remote => 1, enroll => 1, reqcrs => 1, domroles => 1,},
+ passwd => {remote => 1},
+ ping => {anywhere => 1},
+ pong => {anywhere => 1},
+ pushfile => {manageronly => 1},
+ put => {remote => 1, enroll => 1, domroles => 1, msg => 1, content => 1, shared => 1},
+ putdom => {remote => 1, domroles => 1,},
+ putstore => {remote => 1, enroll => 1},
+ queryreply => {anywhere => 1},
+ querysend => {anywhere => 1},
+ quit => {anywhere => 1},
+ readlonnetglobal => {institutiononly => 1},
+ reinit => {manageronly => 1}, #not used currently
+ removeuserfile => {remote => 1, enroll => 1},
+ renameuserfile => {remote => 1,},
+ restore => {remote => 1, enroll => 1, reqcrs => 1,},
+ rolesdel => {remote => 1, enroll => 1, domroles => 1, coaurem => 1},
+ rolesput => {remote => 1, enroll => 1, domroles => 1, coaurem => 1},
+ servercerts => {institutiononly => 1},
+ serverdistarch => {anywhere => 1},
+ serverhomeID => {anywhere => 1},
+ serverloncaparev => {anywhere => 1},
+ servertimezone => {remote => 1, enroll => 1},
+ setannounce => {remote => 1, domroles => 1},
+ sethost => {anywhere => 1},
+ store => {remote => 1, enroll => 1, reqcrs => 1,},
+ studentphoto => {remote => 1, enroll => 1},
+ sub => {content => 1,},
+ tmpdel => {anywhere => 1},
+ tmpget => {anywhere => 1},
+ tmpput => {anywhere => 1},
+ tokenauthuserfile => {anywhere => 1},
+ unsub => {content => 1,},
+ update => {shared => 1},
+ updateclickers => {remote => 1},
+ userhassession => {anywhere => 1},
+ userload => {anywhere => 1},
+ version => {anywhere => 1}, #not used
+ );
+
+#
# Statistics that are maintained and dislayed in the status line.
#
my $Transactions = 0; # Number of attempted transactions.
@@ -666,10 +812,8 @@ sub PushFile {
$clientprotocol = 'http' if ($clientprotocol ne 'https');
my $url = '/adm/'.$filename;
$url =~ s{_}{/};
- my $ua=new LWP::UserAgent;
- $ua->timeout(60);
my $request=new HTTP::Request('GET',"$clientprotocol://$clienthost$url");
- my $response=$ua->request($request);
+ my $response = LONCAPA::LWPReq::makerequest($clientname,$request,'',\%perlvar,60,0);
if ($response->is_error()) {
&logthis('<font color="red"> Pushfile: unable to install '
.$tablefile." - error attempting to pull data. </font>");
@@ -1429,14 +1573,12 @@ sub du2_handler {
#
# 1. for a directory, and the path does not begin with one of:
# (a) /home/httpd/html/res/<domain>
-# (b) /home/httpd/html/userfiles/
+# (b) /home/httpd/html/res/userfiles/
# (c) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/userfiles
# or is:
#
-# 2. for a file, and the path (after prepending) does not begin with one of:
-# (a) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/
-# (b) /home/httpd/html/res/<domain>/<username>/
-# (c) /home/httpd/html/userfiles/<domain>/<username>/
+# 2. for a file, and the path (after prepending) does not begin with:
+# /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/
#
# the response will be "refused".
#
@@ -1467,8 +1609,8 @@ sub ls_handler {
}
if (-e $ulsdir) {
if(-d $ulsdir) {
- unless (($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) ||
- ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles})) {
+ unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) ||
+ ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/})) {
&Failure($client,"refused\n",$userinput);
return 1;
}
@@ -1495,8 +1637,7 @@ sub ls_handler {
closedir(LSDIR);
}
} else {
- unless (($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) ||
- ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/})) {
+ unless ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/}) {
&Failure($client,"refused\n",$userinput);
return 1;
}
@@ -1529,14 +1670,12 @@ sub ls_handler {
#
# 1. for a directory, and the path does not begin with one of:
# (a) /home/httpd/html/res/<domain>
-# (b) /home/httpd/html/userfiles/
+# (b) /home/httpd/html/res/userfiles/
# (c) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/userfiles
# or is:
#
-# 2. for a file, and the path (after prepending) does not begin with one of:
-# (a) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/
-# (b) /home/httpd/html/res/<domain>/<username>/
-# (c) /home/httpd/html/userfiles/<domain>/<username>/
+# 2. for a file, and the path (after prepending) does not begin with:
+# /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/
#
# the response will be "refused".
#
@@ -1566,8 +1705,8 @@ sub ls2_handler {
}
if (-e $ulsdir) {
if(-d $ulsdir) {
- unless (($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) ||
- ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles})) {
+ unless (($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) ||
+ ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/})) {
&Failure($client,"refused\n","$userinput");
return 1;
}
@@ -1595,8 +1734,7 @@ sub ls2_handler {
closedir(LSDIR);
}
} else {
- unless (($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) ||
- ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/})) {
+ unless ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/}) {
&Failure($client,"refused\n",$userinput);
return 1;
}
@@ -1621,17 +1759,14 @@ sub ls2_handler {
#
# 1. for a directory, and the path does not begin with one of:
# (a) /home/httpd/html/res/<domain>
-# (b) /home/httpd/html/userfiles/
+# (b) /home/httpd/html/res/userfiles/
# (c) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/userfiles
-# (d) /home/httpd/html/priv/<domain> and client is the homeserver
+# (d) /home/httpd/html/priv/<domain>/ and client is the homeserver
#
# or is:
#
-# 2. for a file, and the path (after prepending) does not begin with one of:
-# (a) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/
-# (b) /home/httpd/html/res/<domain>/<username>/
-# (c) /home/httpd/html/userfiles/<domain>/<username>/
-# (d) /home/httpd/html/priv/<domain>/<username>/ and client is the homeserver
+# 2. for a file, and the path (after prepending) does not begin with:
+# /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/
#
# the response will be "refused".
#
@@ -1708,9 +1843,9 @@ sub ls3_handler {
if (-e $ulsdir) {
if(-d $ulsdir) {
unless (($getpropath) || ($getuserdir) ||
- ($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) ||
- ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles}) ||
- (($ulsdir =~ m{^/home/httpd/html/priv/$LONCAPA::match_domain}) && ($islocal))) {
+ ($ulsdir =~ m{/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) ||
+ ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/userfiles/}) ||
+ (($ulsdir =~ m{/home/httpd/html/priv/$LONCAPA::match_domain/}) && ($islocal))) {
&Failure($client,"refused\n",$userinput);
return 1;
}
@@ -1739,9 +1874,7 @@ sub ls3_handler {
}
} else {
unless (($getpropath) || ($getuserdir) ||
- ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) ||
- ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/}) ||
- (($ulsdir =~ m{^/home/httpd/html/priv/$LONCAPA::match_domain/$LONCAPA::match_name/}) && ($islocal))) {
+ ($ulsdir =~ m{/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_username/})) {
&Failure($client,"refused\n",$userinput);
return 1;
}
@@ -1795,7 +1928,7 @@ sub read_lonnet_global {
}
if ($what eq 'perlvar') {
if (!exists($packagevars{$what}{'lonBalancer'})) {
- if ($dist =~ /^(centos|rhes|fedora|scientific|oracle)/) {
+ if ($dist =~ /^(centos|rhes|fedora|scientific)/) {
my $othervarref=LONCAPA::Configuration::read_conf('httpd.conf');
if (ref($othervarref) eq 'HASH') {
$items->{'lonBalancer'} = $othervarref->{'lonBalancer'};
@@ -1888,6 +2021,16 @@ sub server_distarch_handler {
}
®ister_handler("serverdistarch", \&server_distarch_handler, 0, 1, 0);
+sub server_certs_handler {
+ my ($cmd,$tail,$client) = @_;
+ my $userinput = "$cmd:$tail";
+ my $result;
+ my $result = &LONCAPA::Lond::server_certs(\%perlvar);
+ &Reply($client,\$result,$userinput);
+ return;
+}
+®ister_handler("servercerts", \&server_certs_handler, 0, 1, 0);
+
# Process a reinit request. Reinit requests that either
# lonc or lond be reinitialized so that an updated
# host.tab or domain.tab can be processed.
@@ -2026,12 +2169,8 @@ sub authenticate_handler {
if (ref($hostedsession) eq 'HASH') {
$hosted = $hostedsession->{'hosted'};
}
- my $loncaparev = $clientversion;
- if ($loncaparev eq '') {
- $loncaparev = $Apache::lonnet::loncaparevs{$clientname};
- }
$canhost = &Apache::lonnet::can_host_session($udom,$clientname,
- $loncaparev,
+ $clientversion,
$remote,$hosted);
}
}
@@ -2107,84 +2246,12 @@ sub change_password_handler {
}
if($validated) {
my $realpasswd = &get_auth_type($udom, $uname); # Defined since authd.
+
my ($howpwd,$contentpwd)=split(/:/,$realpasswd);
- my $notunique;
if ($howpwd eq 'internal') {
&Debug("internal auth");
my $ncpass = &hash_passwd($udom,$npass);
- my (undef,$method,@rest) = split(/!/,$contentpwd);
- if ($method eq 'bcrypt') {
- my %passwdconf = &Apache::lonnet::get_passwdconf($udom);
- if (($passwdconf{'numsaved'}) && ($passwdconf{'numsaved'} =~ /^\d+$/)) {
- my @oldpasswds;
- my $userpath = &propath($udom,$uname);
- my $fullpath = $userpath.'/oldpasswds';
- if (-d $userpath) {
- my @oldfiles;
- if (-e $fullpath) {
- if (opendir(my $dir,$fullpath)) {
- (@oldfiles) = grep(/^\d+$/,readdir($dir));
- closedir($dir);
- }
- if (@oldfiles) {
- @oldfiles = sort { $b <=> $a } (@oldfiles);
- my $numremoved = 0;
- for (my $i=0; $i<@oldfiles; $i++) {
- if ($i>=$passwdconf{'numsaved'}) {
- if (-f "$fullpath/$oldfiles[$i]") {
- if (unlink("$fullpath/$oldfiles[$i]")) {
- $numremoved ++;
- }
- }
- } elsif (open(my $fh,'<',"$fullpath/$oldfiles[$i]")) {
- while (my $line = <$fh>) {
- push(@oldpasswds,$line);
- }
- close($fh);
- }
- }
- if ($numremoved) {
- &logthis("unlinked $numremoved old password files for $uname:$udom");
- }
- }
- }
- push(@oldpasswds,$contentpwd);
- foreach my $item (@oldpasswds) {
- my (undef,$method,@rest) = split(/!/,$item);
- if ($method eq 'bcrypt') {
- my $result = &hash_passwd($udom,$npass,@rest);
- if ($result eq $item) {
- $notunique = 1;
- last;
- }
- }
- }
- unless ($notunique) {
- unless (-e $fullpath) {
- if (&mkpath("$fullpath/")) {
- chmod(0700,$fullpath);
- }
- }
- if (-d $fullpath) {
- my $now = time;
- if (open(my $fh,'>',"$fullpath/$now")) {
- print $fh $contentpwd;
- close($fh);
- chmod(0400,"$fullpath/$now");
- }
- }
- }
- }
- }
- }
- if ($notunique) {
- my $msg="Result of password change for $uname:$udom - password matches one used before";
- if ($lonhost) {
- $msg .= " - request originated from: $lonhost";
- }
- &logthis($msg);
- &Reply($client, "prioruse\n", $userinput);
- } elsif (&rewrite_password_file($udom, $uname, "internal:$ncpass")) {
+ if(&rewrite_password_file($udom, $uname, "internal:$ncpass")) {
my $msg="Result of password change for $uname: pwchange_success";
if ($lonhost) {
$msg .= " - request originated from: $lonhost";
@@ -2201,7 +2268,7 @@ sub change_password_handler {
my $result = &change_unix_password($uname, $npass);
if ($result eq 'ok') {
&update_passwd_history($uname,$udom,$howpwd,$context);
- }
+ }
&logthis("Result of password change for $uname: ".
$result);
&Reply($client, \$result, $userinput);
@@ -2212,6 +2279,7 @@ sub change_password_handler {
#
&Failure( $client, "auth_mode_error\n", $userinput);
}
+
} else {
if ($failure eq '') {
$failure = 'non_authorized';
@@ -2232,8 +2300,12 @@ sub hash_passwd {
my $plainsalt = substr($rest[1],0,22);
$salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt);
} else {
- my %domdefaults = &Apache::lonnet::get_domain_defaults($domain);
- my $defaultcost = $domdefaults{'intauth_cost'};
+ my $defaultcost;
+ my %domconfig =
+ &Apache::lonnet::get_dom('configuration',['password'],$domain);
+ if (ref($domconfig{'password'}) eq 'HASH') {
+ $defaultcost = $domconfig{'password'}{'cost'};
+ }
if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
$cost = 10;
} else {
@@ -2368,7 +2440,7 @@ sub change_authentication_handler {
my $result = &change_unix_password($uname, $npass);
&logthis("Result of password change for $uname: ".$result);
if ($result eq "ok") {
- &update_passwd_history($uname,$udom,$umode,'changeuserauth');
+ &update_passwd_history($uname,$udom,$umode,'changeuserauth');
&Reply($client, \$result);
} else {
&Failure($client, \$result);
@@ -2493,18 +2565,13 @@ sub update_resource_handler {
# FIXME: this should use the LWP mechanism, not internal alarms.
alarm(1200);
{
- my $ua=new LWP::UserAgent;
my $request=new HTTP::Request('GET',"$remoteurl");
- $response=$ua->request($request,$transname);
+ $response=&LONCAPA::LWPReq::makerequest($clientname,$request,$transname,\%perlvar,1200,0,1);
}
alarm(0);
if ($response->is_error()) {
- my $reply=&Apache::lonnet::reply("unsub:$fname","$clientname");
- &devalidate_meta_cache($fname);
- if (-e $transname) {
- unlink($transname);
- }
- unlink($fname);
+# FIXME: we should probably clean up here instead of just whine
+ unlink($transname);
my $message=$response->status_line;
&logthis("LWP GET: $message for $fname ($remoteurl)");
} else {
@@ -2512,9 +2579,8 @@ sub update_resource_handler {
# FIXME: isn't there an internal LWP mechanism for this?
alarm(120);
{
- my $ua=new LWP::UserAgent;
my $mrequest=new HTTP::Request('GET',$remoteurl.'.meta');
- my $mresponse=$ua->request($mrequest,$fname.'.meta');
+ my $mresponse = &LONCAPA::LWPReq::makerequest($clientname,$mrequest,$fname.'.meta',\%perlvar,120,0,1);
if ($mresponse->is_error()) {
unlink($fname.'.meta');
}
@@ -2589,11 +2655,15 @@ sub fetch_user_file_handler {
my $remoteurl=$clientprotocol.'://'.$clienthost.'/userfiles/'.$fname;
my $response;
Debug("Remote URL : $remoteurl Transfername $transname Destname: $destname");
- alarm(120);
+ alarm(1200);
{
- my $ua=new LWP::UserAgent;
my $request=new HTTP::Request('GET',"$remoteurl");
- $response=$ua->request($request,$transname);
+ my $verifycert = 1;
+ my @machine_ids = &Apache::lonnet::current_machine_ids();
+ if (grep(/^\Q$clientname\E$/,@machine_ids)) {
+ $verifycert = 0;
+ }
+ $response = &LONCAPA::LWPReq::makerequest($clientname,$request,$transname,\%perlvar,1200,$verifycert);
}
alarm(0);
if ($response->is_error()) {
@@ -2662,13 +2732,13 @@ sub remove_user_file_handler {
if (-e $file) {
#
# If the file is a regular file unlink is fine...
- # However it's possible the client wants a dir
- # removed, in which case rmdir is more appropriate
- # Note: rmdir will only remove an empty directory.
+ # However it's possible the client wants a dir
+ # removed, in which case rmdir is more appropriate.
+ # Note: rmdir will only remove an empty directory.
#
if (-f $file){
unlink($file);
- # for html files remove the associated .bak file
+ # for html files remove the associated .bak file
# which may have been created by the editor.
if ($ufile =~ m{^((docs|supplemental)/(?:\d+|default)/\d+(?:|/.+)/)[^/]+\.x?html?$}i) {
my $path = $1;
@@ -3042,8 +3112,8 @@ sub newput_user_profile_entry {
&logthis("error: ".($!+0)." untie (GDBM) failed ".
"while attempting newput - early out as key exists");
}
- &Failure($client, "key_exists: ".$key."\n",$userinput);
- return 1;
+ &Failure($client, "key_exists: ".$key."\n",$userinput);
+ return 1;
}
}
@@ -3293,8 +3363,7 @@ sub get_profile_entry {
#
# Parameters:
# $cmd - Command keyword of request (eget).
-# $tail - Tail of the command. See GetProfileEntry
-# for more information about this.
+# $tail - Tail of the command. See GetProfileEntry
# for more information about this.
# $client - File open on the client.
# Returns:
# 1 - Continue processing
@@ -3446,6 +3515,17 @@ sub get_profile_keys {
sub dump_profile_database {
my ($cmd, $tail, $client) = @_;
+ my $res = LONCAPA::Lond::dump_profile_database($tail);
+
+ if ($res =~ /^error:/) {
+ Failure($client, \$res, "$cmd:$tail");
+ } else {
+ Reply($client, \$res, "$cmd:$tail");
+ }
+
+ return 1;
+
+ #TODO remove
my $userinput = "$cmd:$tail";
my ($udom,$uname,$namespace) = split(/:/,$tail);
@@ -3525,11 +3605,11 @@ sub dump_with_regexp {
my ($cmd, $tail, $client) = @_;
my $res = LONCAPA::Lond::dump_with_regexp($tail, $clientversion);
-
+
if ($res =~ /^error:/) {
- &Failure($client, \$res, "$cmd:$tail");
+ Failure($client, \$res, "$cmd:$tail");
} else {
- &Reply($client, \$res, "$cmd:$tail");
+ Reply($client, \$res, "$cmd:$tail");
}
return 1;
@@ -3567,7 +3647,6 @@ sub store_handler {
my ($cmd, $tail, $client) = @_;
my $userinput = "$cmd:$tail";
-
chomp($tail);
my ($udom,$uname,$namespace,$rid,$what,$laststore) =split(/:/,$tail);
if ($namespace ne 'roles') {
@@ -3597,7 +3676,6 @@ sub store_handler {
$numtrans =~ s/D//g;
}
}
-
$hashref->{"version:$rid"}++;
my $version=$hashref->{"version:$rid"};
my $allkeys='';
@@ -3614,7 +3692,7 @@ sub store_handler {
if ($numtrans) {
$msg = 'delay:'.$numtrans;
}
- &Reply($client, "$msg\n", $userinput);
+ &Reply($client, "$msg\n", $userinput);
} else {
&Failure($client, "error: ".($!+0)." untie(GDBM) Failed ".
"while attempting store\n", $userinput);
@@ -3876,37 +3954,6 @@ sub send_query_handler {
my ($query,$arg1,$arg2,$arg3)=split(/\:/,$tail);
$query=~s/\n*$//g;
- if (($query eq 'usersearch') || ($query eq 'instdirsearch')) {
- my $usersearchconf = &get_usersearch_config($currentdomainid,'directorysrch');
- my $earlyout;
- if (ref($usersearchconf) eq 'HASH') {
- if ($currentdomainid eq $clienthomedom) {
- if ($query eq 'usersearch') {
- if ($usersearchconf->{'lcavailable'} eq '0') {
- $earlyout = 1;
- }
- } else {
- if ($usersearchconf->{'available'} eq '0') {
- $earlyout = 1;
- }
- }
- } else {
- if ($query eq 'usersearch') {
- if ($usersearchconf->{'lclocalonly'}) {
- $earlyout = 1;
- }
- } else {
- if ($usersearchconf->{'localonly'}) {
- $earlyout = 1;
- }
- }
- }
- }
- if ($earlyout) {
- &Reply($client, "query_not_authorized\n");
- return 1;
- }
- }
&Reply($client, "". &sql_reply("$clientname\&$query".
"\&$arg1"."\&$arg2"."\&$arg3")."\n",
$userinput);
@@ -4162,7 +4209,7 @@ sub put_course_id_hash_handler {
#
# domcloner - flag to indicate if user can create CCs in course's domain.
# If so, ability to clone course is automatic.
-# hasuniquecode - filter by courses for which a six character unique code has
+# hasuniquecode - filter by courses for which a six character unique code has
# been set.
#
# $client - The socket open on the client.
@@ -4172,6 +4219,17 @@ sub put_course_id_hash_handler {
# a reply is written to $client.
sub dump_course_id_handler {
my ($cmd, $tail, $client) = @_;
+
+ my $res = LONCAPA::Lond::dump_course_id_handler($tail);
+ if ($res =~ /^error:/) {
+ Failure($client, \$res, "$cmd:$tail");
+ } else {
+ Reply($client, \$res, "$cmd:$tail");
+ }
+
+ return 1;
+
+ #TODO remove
my $userinput = "$cmd:$tail";
my ($udom,$since,$description,$instcodefilter,$ownerfilter,$coursefilter,
@@ -4576,44 +4634,6 @@ sub course_lastaccess_handler {
}
®ister_handler("courselastaccess",\&course_lastaccess_handler, 0, 1, 0);
-sub course_sessions_handler {
- my ($cmd, $tail, $client) = @_;
- my $userinput = "$cmd:$tail";
- my ($cdom,$cnum,$lastactivity) = split(':',$tail);
- my $dbsuffix = '_'.$cdom.'_'.$cnum.'.db';
- my (%sessions,$qresult);
- my $now=time;
- if (opendir(DIR,$perlvar{'lonIDsDir'})) {
- my $filename;
- while ($filename=readdir(DIR)) {
- next if ($filename=~/^\./);
- next if ($filename=~/^publicuser_/);
- next if ($filename=~/^[a-f0-9]+_(linked|lti_\d+)\.id$/);
- if ($filename =~ /^($LONCAPA::match_username)_\d+_($LONCAPA::match_domain)_/) {
- my ($uname,$udom) = ($1,$2);
- next unless (-e "$perlvar{'lonDaemons'}/tmp/$uname$dbsuffix");
- my $mtime = (stat("$perlvar{'lonIDsDir'}/$filename"))[9];
- if ($lastactivity < 0) {
- next if ($mtime-$now > $lastactivity);
- } else {
- next if ($now-$mtime > $lastactivity);
- }
- $sessions{$uname.':'.$udom} = $mtime;
- }
- }
- closedir(DIR);
- }
- foreach my $user (keys(%sessions)) {
- $qresult.=&escape($user).'='.$sessions{$user}.'&';
- }
- if ($qresult) {
- chop($qresult);
- }
- &Reply($client, \$qresult, $userinput);
- return 1;
-}
-®ister_handler("coursesessions",\&course_sessions_handler, 0, 1, 0);
-
#
# Puts an unencrypted entry in a namespace db file at the domain level
#
@@ -4657,6 +4677,122 @@ sub put_domain_handler {
}
®ister_handler("putdom", \&put_domain_handler, 0, 1, 0);
+# Updates one or more entries in clickers.db file at the domain level
+#
+# Parameters:
+# $cmd - The command that got us here.
+# $tail - Tail of the command (remaining parameters).
+# In this case a colon separated list containing:
+# (a) the domain for which we are updating the entries,
+# (b) the action required -- add or del -- and
+# (c) a &-separated list of entries to add or delete.
+# $client - File descriptor connected to client.
+# Returns
+# 1 - Continue processing.
+# 0 - Requested to exit, caller should shut down.
+# Side effects:
+# reply is written to $client.
+#
+
+
+sub update_clickers {
+ my ($cmd, $tail, $client) = @_;
+
+ my $userinput = "$cmd:$tail";
+ my ($udom,$action,$what) =split(/:/,$tail,3);
+ chomp($what);
+
+ my $hashref = &tie_domain_hash($udom, "clickers", &GDBM_WRCREAT(),
+ "U","$action:$what");
+
+ if (!$hashref) {
+ &Failure( $client, "error: ".($!+0)." tie(GDBM) Failed ".
+ "while attempting updateclickers\n", $userinput);
+ return 1;
+ }
+
+ my @pairs=split(/\&/,$what);
+ foreach my $pair (@pairs) {
+ my ($key,$value)=split(/=/,$pair);
+ if ($action eq 'add') {
+ if (exists($hashref->{$key})) {
+ my @newvals = split(/,/,&unescape($value));
+ my @currvals = split(/,/,&unescape($hashref->{$key}));
+ my @merged = sort(keys(%{{map { $_ => 1 } (@newvals,@currvals)}}));
+ $hashref->{$key}=&escape(join(',',@merged));
+ } else {
+ $hashref->{$key}=$value;
+ }
+ } elsif ($action eq 'del') {
+ if (exists($hashref->{$key})) {
+ my %current;
+ map { $current{$_} = 1; } split(/,/,&unescape($hashref->{$key}));
+ map { delete($current{$_}); } split(/,/,&unescape($value));
+ if (keys(%current)) {
+ $hashref->{$key}=&escape(join(',',sort(keys(%current))));
+ } else {
+ delete($hashref->{$key});
+ }
+ }
+ }
+ }
+ if (&untie_user_hash($hashref)) {
+ &Reply( $client, "ok\n", $userinput);
+ } else {
+ &Failure($client, "error: ".($!+0)." untie(GDBM) failed ".
+ "while attempting put\n",
+ $userinput);
+ }
+ return 1;
+}
+®ister_handler("updateclickers", \&update_clickers, 0, 1, 0);
+
+
+# Deletes one or more entries in a namespace db file at the domain level
+#
+# Parameters:
+# $cmd - The command that got us here.
+# $tail - Tail of the command (remaining parameters).
+# In this case a colon separated list containing:
+# (a) the domain for which we are deleting the entries,
+# (b) &-separated list of keys to delete.
+# $client - File descriptor connected to client.
+# Returns
+# 1 - Continue processing.
+# 0 - Requested to exit, caller should shut down.
+# Side effects:
+# reply is written to $client.
+#
+
+sub del_domain_handler {
+ my ($cmd,$tail,$client) = @_;
+
+ my $userinput = "$cmd:$tail";
+
+ my ($udom,$namespace,$what)=split(/:/,$tail,3);
+ chomp($what);
+ my $hashref = &tie_domain_hash($udom,$namespace,&GDBM_WRCREAT(),
+ "D", $what);
+ if ($hashref) {
+ my @keys=split(/\&/,$what);
+ foreach my $key (@keys) {
+ delete($hashref->{$key});
+ }
+ if (&untie_user_hash($hashref)) {
+ &Reply($client, "ok\n", $userinput);
+ } else {
+ &Failure($client, "error: ".($!+0)." untie(GDBM) Failed ".
+ "while attempting deldom\n", $userinput);
+ }
+ } else {
+ &Failure( $client, "error: ".($!+0)." tie(GDBM) Failed ".
+ "while attempting deldom\n", $userinput);
+ }
+ return 1;
+}
+®ister_handler("deldom", \&del_domain_handler, 0, 1, 0);
+
+
# Unencrypted get from the namespace database file at the domain level.
# This function retrieves a keyed item from a specific named database in the
# domain directory.
@@ -4680,7 +4816,7 @@ sub get_domain_handler {
my ($cmd, $tail, $client) = @_;
- my $userinput = "$cmd:$tail";
+ my $userinput = "$client:$tail";
my ($udom,$namespace,$what)=split(/:/,$tail,3);
chomp($what);
@@ -4816,7 +4952,7 @@ sub get_id_handler {
# Returns:
# 1 - Continue processing
# 0 - Exit server.
-#
+#
#
sub del_id_handler {
@@ -5223,116 +5359,6 @@ sub tmp_del_handler {
®ister_handler("tmpdel", \&tmp_del_handler, 0, 1, 0);
#
-# Process the updatebalcookie command. This command updates a
-# cookie in the lonBalancedir directory on a load balancer node.
-#
-# Parameters:
-# $cmd - Command that got us here.
-# $tail - Tail of the request (escaped cookie: escaped current entry)
-#
-# $client - socket open on the client process.
-#
-# Returns:
-# 1 - Indicating processing should continue.
-# Side Effects:
-# A cookie file is updated from the lonBalancedir directory
-# A reply is sent to the client.
-#
-sub update_balcookie_handler {
- my ($cmd, $tail, $client) = @_;
-
- my $userinput= "$cmd:$tail";
- chomp($tail);
- my ($cookie,$lastentry) = map { &unescape($_) } (split(/:/,$tail));
-
- my $updatedone;
- if ($cookie =~ /^$LONCAPA::match_domain\_$LONCAPA::match_username\_[a-f0-9]{32}$/) {
- my $execdir=$perlvar{'lonBalanceDir'};
- if (-e "$execdir/$cookie.id") {
- my $doupdate;
- if (open(my $fh,'<',"$execdir/$cookie.id")) {
- while (my $line = <$fh>) {
- chomp($line);
- if ($line eq $lastentry) {
- $doupdate = 1;
- last;
- }
- }
- close($fh);
- }
- if ($doupdate) {
- if (open(my $fh,'>',"$execdir/$cookie.id")) {
- print $fh $clientname;
- close($fh);
- $updatedone = 1;
- }
- }
- }
- }
- if ($updatedone) {
- &Reply($client, "ok\n", $userinput);
- } else {
- &Failure( $client, "error: ".($!+0)."file update failed ".
- "while attempting updatebalcookie\n", $userinput);
- }
- return 1;
-}
-®ister_handler("updatebalcookie", \&update_balcookie_handler, 0, 1, 0);
-
-#
-# Process the delbalcookie command. This command deletes a balancer
-# cookie in the lonBalancedir directory on a load balancer node.
-#
-# Parameters:
-# $cmd - Command that got us here.
-# $cookie - Cookie to be deleted.
-# $client - socket open on the client process.
-#
-# Returns:
-# 1 - Indicating processing should continue.
-# Side Effects:
-# A cookie file is deleted from the lonBalancedir directory
-# A reply is sent to the client.
-sub del_balcookie_handler {
- my ($cmd, $cookie, $client) = @_;
-
- my $userinput= "$cmd:$cookie";
-
- chomp($cookie);
- $cookie = &unescape($cookie);
- my $deleted = '';
- if ($cookie =~ /^$LONCAPA::match_domain\_$LONCAPA::match_username\_[a-f0-9]{32}$/) {
- my $execdir=$perlvar{'lonBalanceDir'};
- if (-e "$execdir/$cookie.id") {
- if (open(my $fh,'<',"$execdir/$cookie.id")) {
- my $dodelete;
- while (my $line = <$fh>) {
- chomp($line);
- if ($line eq $clientname) {
- $dodelete = 1;
- last;
- }
- }
- close($fh);
- if ($dodelete) {
- if (unlink("$execdir/$cookie.id")) {
- $deleted = 1;
- }
- }
- }
- }
- }
- if ($deleted) {
- &Reply($client, "ok\n", $userinput);
- } else {
- &Failure( $client, "error: ".($!+0)."Unlinking cookie file Failed ".
- "while attempting delbalcookie\n", $userinput);
- }
- return 1;
-}
-®ister_handler("delbalcookie", \&del_balcookie_handler, 0, 1, 0);
-
-#
# Processes the setannounce command. This command
# creates a file named announce.txt in the top directory of
# the documentn root and sets its contents. The announce.txt file is
@@ -5611,10 +5637,9 @@ sub validate_course_section_handler {
# Formal Parameters:
# $cmd - The command request that got us dispatched.
# $tail - The tail of the command. In this case this is a colon separated
-# set of values that will be split into:
+# set of words that will be split into:
# $inst_class - Institutional code for the specific class section
-# $ownerlist - An escaped comma-separated list of username:domain
-# of the course owner, and co-owner(s).
+# $courseowner - The escaped username:domain of the course owner
# $cdom - The domain of the course from the institution's
# point of view.
# $client - The socket open on the client.
@@ -5639,56 +5664,6 @@ sub validate_class_access_handler {
®ister_handler("autovalidateclass_sec", \&validate_class_access_handler, 0, 1, 0);
#
-# Validate course owner or co-owners(s) access to enrollment data for all sections
-# and crosslistings for a particular course.
-#
-#
-# Formal Parameters:
-# $cmd - The command request that got us dispatched.
-# $tail - The tail of the command. In this case this is a colon separated
-# set of values that will be split into:
-# $ownerlist - An escaped comma-separated list of username:domain
-# of the course owner, and co-owner(s).
-# $cdom - The domain of the course from the institution's
-# point of view.
-# $classes - Frozen hash of institutional course sections and
-# crosslistings.
-# $client - The socket open on the client.
-# Returns:
-# 1 - continue processing.
-#
-
-sub validate_classes_handler {
- my ($cmd, $tail, $client) = @_;
- my $userinput = "$cmd:$tail";
- my ($ownerlist,$cdom,$classes) = split(/:/, $tail);
- my $classesref = &Apache::lonnet::thaw_unescape($classes);
- my $owners = &unescape($ownerlist);
- my $result;
- eval {
- local($SIG{__DIE__})='DEFAULT';
- my %validations;
- my $response = &localenroll::check_instclasses($owners,$cdom,$classesref,
- \%validations);
- if ($response eq 'ok') {
- foreach my $key (keys(%validations)) {
- $result .= &escape($key).'='.&Apache::lonnet::freeze_escape($validations{$key}).'&';
- }
- $result =~ s/\&$//;
- } else {
- $result = 'error';
- }
- };
- if (!$@) {
- &Reply($client, \$result, $userinput);
- } else {
- &Failure($client,"unknown_cmd\n",$userinput);
- }
- return 1;
-}
-®ister_handler("autovalidateinstclasses", \&validate_classes_handler, 0, 1, 0);
-
-#
# Create a password for a new LON-CAPA user added by auto-enrollment.
# Only used for case where authentication method for new user is localauth
#
@@ -5766,8 +5741,7 @@ sub auto_export_grades_handler {
return 1;
}
®ister_handler("autoexportgrades", \&auto_export_grades_handler,
- 1, 1, 0);
-
+ 0, 1, 0);
# Retrieve and remove temporary files created by/during autoenrollment.
#
@@ -5789,6 +5763,7 @@ sub retrieve_auto_file_handler {
my ($filename) = split(/:/, $tail);
my $source = $perlvar{'lonDaemons'}.'/tmp/'.$filename;
+
if ($filename =~m{/\.\./}) {
&Failure($client, "refused\n", $userinput);
} elsif ($filename !~ /^$LONCAPA::match_domain\_$LONCAPA::match_courseid\_.+_classlist\.xml$/) {
@@ -5825,7 +5800,7 @@ sub crsreq_checks_handler {
my $userinput = "$cmd:$tail";
my $dom = $tail;
my $result;
- my @reqtypes = ('official','unofficial','community','textbook');
+ my @reqtypes = ('official','unofficial','community','textbook','placement');
eval {
local($SIG{__DIE__})='DEFAULT';
my %validations;
@@ -6430,12 +6405,13 @@ sub get_request {
#
# Parameters:
# user_input - The request received from the client (lonc).
+#
# Returns:
# true to keep processing, false if caller should exit.
#
sub process_request {
- my ($userinput) = @_; # Easier for now to break style than to
- # fix all the userinput -> user_input.
+ my ($userinput) = @_; # Easier for now to break style than to
+ # fix all the userinput -> user_input.
my $wasenc = 0; # True if request was encrypted.
# ------------------------------------------------------------ See if encrypted
# for command
@@ -6515,6 +6491,49 @@ sub process_request {
Debug("Client not privileged to do this operation");
$ok = 0;
}
+ if ($ok) {
+ if (ref($trust{$command}) eq 'HASH') {
+ my $donechecks;
+ if ($trust{$command}{'anywhere'}) {
+ $donechecks = 1;
+ } elsif ($trust{$command}{'manageronly'}) {
+ unless (&isManager()) {
+ $ok = 0;
+ }
+ $donechecks = 1;
+ } elsif ($trust{$command}{'institutiononly'}) {
+ unless ($clientsameinst) {
+ $ok = 0;
+ }
+ $donechecks = 1;
+ } elsif ($clientsameinst) {
+ $donechecks = 1;
+ }
+ unless ($donechecks) {
+ foreach my $rule (keys(%{$trust{$command}})) {
+ next if ($rule eq 'remote');
+ if ($trust{$command}{$rule}) {
+ if ($clientprohibited{$rule}) {
+ $ok = 0;
+ } else {
+ $ok = 1;
+ $donechecks = 1;
+ last;
+ }
+ }
+ }
+ }
+ unless ($donechecks) {
+ if ($trust{$command}{'remote'}) {
+ if ($clientremoteok) {
+ $ok = 1;
+ } else {
+ $ok = 0;
+ }
+ }
+ }
+ }
+ }
if($ok) {
Debug("Dispatching to handler $command $tail");
@@ -6525,8 +6544,7 @@ sub process_request {
Failure($client, "refused\n", $userinput);
return 1;
}
-
- }
+ }
print $client "unknown_cmd\n";
# -------------------------------------------------------------------- complete
@@ -6666,8 +6684,8 @@ my $wwwid=getpwnam('www');
if ($wwwid!=$<) {
my $emailto="$perlvar{'lonAdmEMail'},$perlvar{'lonSysEMail'}";
my $subj="LON: $currenthostid User ID mismatch";
- system("echo 'User ID mismatch. lond must be run as user www.' |".
- " mail -s '$subj' $emailto > /dev/null");
+ system("echo 'User ID mismatch. lond must be run as user www.' |\
+ mailto $emailto -s '$subj' > /dev/null");
exit 1;
}
@@ -6870,6 +6888,9 @@ sub Debug {
# reply - Text to send to client.
# request - Original request from client.
#
+#NOTE $reply must be terminated by exactly *one* \n. If $reply is a reference
+#this is done automatically ($$reply must not contain any \n in this case).
+#If $reply is a string the caller has to ensure this.
sub Reply {
my ($fd, $reply, $request) = @_;
if (ref($reply)) {
@@ -7117,13 +7138,13 @@ sub make_new_child {
&Authen::Krb5::init_context();
my $no_ets;
- if ($dist =~ /^(?:centos|rhes|scientific|oracle)(\d+)$/) {
+ if ($dist =~ /^(?:centos|rhes|scientific)(\d+)$/) {
if ($1 >= 7) {
$no_ets = 1;
}
} elsif ($dist =~ /^suse(\d+\.\d+)$/) {
if (($1 eq '9.3') || ($1 >= 12.2)) {
- $no_ets = 1;
+ $no_ets = 1;
}
} elsif ($dist =~ /^sles(\d+)$/) {
if ($1 > 11) {
@@ -7135,8 +7156,8 @@ sub make_new_child {
}
}
unless ($no_ets) {
- &Authen::Krb5::init_ets();
- }
+ &Authen::Krb5::init_ets();
+ }
&status('Accepted connection');
# =============================================================================
@@ -7180,12 +7201,12 @@ sub make_new_child {
# If the remote is attempting a local init... give that a try:
#
(my $i, my $inittype, $clientversion) = split(/:/, $remotereq);
- # For LON-CAPA 2.9, the client session will have sent its LON-CAPA
- # version when initiating the connection. For LON-CAPA 2.8 and older,
- # the version is retrieved from the global %loncaparevs in lonnet.pm.
- # $clientversion contains path to keyfile if $inittype eq 'local'
- # it's overridden below in this case
- $clientversion ||= $Apache::lonnet::loncaparevs{$clientname};
+ # For LON-CAPA 2.9, the client session will have sent its LON-CAPA
+ # version when initiating the connection. For LON-CAPA 2.8 and older,
+ # the version is retrieved from the global %loncaparevs in lonnet.pm.
+ # $clientversion contains path to keyfile if $inittype eq 'local'
+ # it's overridden below in this case
+ $clientversion ||= $Apache::lonnet::loncaparevs{$clientname};
# If the connection type is ssl, but I didn't get my
# certificate files yet, then I'll drop back to
@@ -7250,6 +7271,7 @@ sub make_new_child {
."Attempted insecure connection disallowed </font>");
close $client;
$clientok = 0;
+
}
}
} else {
@@ -7258,6 +7280,7 @@ sub make_new_child {
."$clientip failed to initialize: >$remotereq< </font>");
&status('No init '.$clientip);
}
+
} else {
&logthis(
"<font color='blue'>WARNING: Unknown client $clientip</font>");
@@ -7278,6 +7301,41 @@ sub make_new_child {
my $clienthost = &Apache::lonnet::hostname($clientname);
my $clientserverhomeID = &Apache::lonnet::get_server_homeID($clienthost);
$clienthomedom = &Apache::lonnet::host_domain($clientserverhomeID);
+ $clientintdom = &Apache::lonnet::internet_dom($clientserverhomeID);
+ $clientsameinst = 0;
+ if ($clientintdom ne '') {
+ my $internet_names = &Apache::lonnet::get_internet_names($currenthostid);
+ if (ref($internet_names) eq 'ARRAY') {
+ if (grep(/^\Q$clientintdom\E$/,@{$internet_names})) {
+ $clientsameinst = 1;
+ }
+ }
+ }
+ $clientremoteok = 0;
+ unless ($clientsameinst) {
+ $clientremoteok = 1;
+ my $defdom = &Apache::lonnet::host_domain($perlvar{'lonHostID'});
+ %clientprohibited = &get_prohibited($defdom);
+ if ($clientintdom) {
+ my $remsessconf = &get_usersession_config($defdom,'remotesession');
+ if (ref($remsessconf) eq 'HASH') {
+ if (ref($remsessconf->{'remote'}) eq 'HASH') {
+ if (ref($remsessconf->{'remote'}->{'excludedomain'}) eq 'ARRAY') {
+ if (grep(/^\Q$clientintdom\E$/,@{$remsessconf->{'remote'}->{'excludedomain'}})) {
+ $clientremoteok = 0;
+ }
+ }
+ if (ref($remsessconf->{'remote'}->{'includedomain'}) eq 'ARRAY') {
+ if (grep(/^\Q$clientintdom\E$/,@{$remsessconf->{'remote'}->{'includedomain'}})) {
+ $clientremoteok = 1;
+ } else {
+ $clientremoteok = 0;
+ }
+ }
+ }
+ }
+ }
+ }
while(($user_input = get_request) && $keep_going) {
alarm(120);
Debug("Main: Got $user_input\n");
@@ -7293,7 +7351,7 @@ sub make_new_child {
&logthis("<font color='blue'>WARNING: "
."Rejected client $clientip, closing connection</font>");
}
- }
+ }
# =============================================================================
@@ -7415,25 +7473,15 @@ sub password_filename {
# domain - domain of the user.
# name - User's name.
# contents - New contents of the file.
-# saveold - (optional). If true save old file in a passwd.bak file.
# Returns:
# 0 - Failed.
# 1 - Success.
#
sub rewrite_password_file {
- my ($domain, $user, $contents, $saveold) = @_;
+ my ($domain, $user, $contents) = @_;
my $file = &password_filename($domain, $user);
if (defined $file) {
- if ($saveold) {
- my $bakfile = $file.'.bak';
- if (CopyFile($file,$bakfile)) {
- chmod(0400,$bakfile);
- &logthis("Old password saved in passwd.bak for internally authenticated user: $user:$domain");
- } else {
- &logthis("Failed to save old password in passwd.bak for internally authenticated user: $user:$domain");
- }
- }
my $pf = IO::File->new(">$file");
if($pf) {
print $pf "$contents\n";
@@ -7524,27 +7572,20 @@ sub validate_user {
$contentpwd = $domdefaults{'auth_arg_def'};
}
}
- }
+ }
if ($howpwd ne 'nouser') {
if($howpwd eq "internal") { # Encrypted is in local password file.
if (length($contentpwd) == 13) {
$validated = (crypt($password,$contentpwd) eq $contentpwd);
if ($validated) {
- my %domdefaults = &Apache::lonnet::get_domain_defaults($domain);
- if ($domdefaults{'intauth_switch'}) {
- my $ncpass = &hash_passwd($domain,$password);
- my $saveold;
- if ($domdefaults{'intauth_switch'} == 2) {
- $saveold = 1;
- }
- if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass",$saveold)) {
- &update_passwd_history($user,$domain,$howpwd,'conversion');
- &logthis("Validated password hashed with bcrypt for $user:$domain");
- }
+ my $ncpass = &hash_passwd($domain,$password);
+ if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass")) {
+ &update_passwd_history($user,$domain,$howpwd,'conversion');
+ &logthis("Validated password hashed with bcrypt for $user:$domain");
}
}
} else {
- $validated = &check_internal_passwd($password,$contentpwd,$domain,$user);
+ $validated = &check_internal_passwd($password,$contentpwd,$domain);
}
}
elsif ($howpwd eq "unix") { # User is a normal unix user.
@@ -7614,35 +7655,24 @@ sub validate_user {
}
sub check_internal_passwd {
- my ($plainpass,$stored,$domain,$user) = @_;
+ my ($plainpass,$stored,$domain) = @_;
my (undef,$method,@rest) = split(/!/,$stored);
- if ($method eq 'bcrypt') {
+ if ($method eq "bcrypt") {
my $result = &hash_passwd($domain,$plainpass,@rest);
if ($result ne $stored) {
return 0;
}
- my %domdefaults = &Apache::lonnet::get_domain_defaults($domain);
- if ($domdefaults{'intauth_check'}) {
- # Upgrade to a larger number of rounds if necessary
- my $defaultcost = $domdefaults{'intauth_cost'};
- if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
- $defaultcost = 10;
- }
- if (int($rest[0])<int($defaultcost)) {
- if ($domdefaults{'intauth_check'} == 1) {
- my $ncpass = &hash_passwd($domain,$plainpass);
- if (&rewrite_password_file($domain,$user,"internal:$ncpass")) {
- &update_passwd_history($user,$domain,'internal','update cost');
- &logthis("Validated password hashed with bcrypt for $user:$domain");
- }
- return 1;
- } elsif ($domdefaults{'intauth_check'} == 2) {
- return 0;
- }
- }
- } else {
- return 1;
+ # Upgrade to a larger number of rounds if necessary
+ my $defaultcost;
+ my %domconfig =
+ &Apache::lonnet::get_dom('configuration',['password'],$domain);
+ if (ref($domconfig{'password'}) eq 'HASH') {
+ $defaultcost = $domconfig{'password'}{'cost'};
}
+ if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
+ $defaultcost = 10;
+ }
+ return 1 unless($rest[0]<$defaultcost);
}
return 0;
}
@@ -7990,8 +8020,8 @@ sub make_passwd_file {
&Debug("Creating internal auth");
my $pf = IO::File->new(">$passfilename");
if($pf) {
- print $pf "internal:$ncpass\n";
- &update_passwd_history($uname,$udom,$umode,$action);
+ print $pf "internal:$ncpass\n";
+ &update_passwd_history($uname,$udom,$umode,$action);
} else {
$result = "pass_file_failed_error";
}
@@ -8064,25 +8094,45 @@ sub get_usersession_config {
return $usersessionconf;
} else {
my %domconfig = &Apache::lonnet::get_dom('configuration',['usersessions'],$dom);
- if (ref($domconfig{'usersessions'}) eq 'HASH') {
- &Apache::lonnet::do_cache_new($name,$dom,$domconfig{'usersessions'},3600);
- return $domconfig{'usersessions'};
- }
+ &Apache::lonnet::do_cache_new($name,$dom,$domconfig{'usersessions'},3600);
+ return $domconfig{'usersessions'};
}
return;
}
-sub get_usersearch_config {
- my ($dom,$name) = @_;
- my ($usersearchconf,$cached)=&Apache::lonnet::is_cached_new($name,$dom);
- if (defined($cached)) {
- return $usersearchconf;
- } else {
- my %domconfig = &Apache::lonnet::get_dom('configuration',['directorysrch'],$dom);
- &Apache::lonnet::do_cache_new($name,$dom,$domconfig{'directorysrch'},3600);
- return $domconfig{'directorysrch'};
+sub get_prohibited {
+ my ($dom) = @_;
+ my $name = 'trust';
+ my ($trustconfig,$cached)=&Apache::lonnet::is_cached_new($name,$dom);
+ unless (defined($cached)) {
+ my %domconfig = &Apache::lonnet::get_dom('configuration',['trust'],$dom);
+ &Apache::lonnet::do_cache_new($name,$dom,$domconfig{'trust'},3600);
+ $trustconfig = $domconfig{'trust'};
+ }
+ my %prohibited;
+ if (ref($trustconfig)) {
+ foreach my $prefix (keys(%{$trustconfig})) {
+ if (ref($trustconfig->{$prefix}) eq 'HASH') {
+ my $reject;
+ if (ref($trustconfig->{$prefix}->{'exc'}) eq 'ARRAY') {
+ if (grep(/^\Q$clientintdom\E$/,@{$trustconfig->{$prefix}->{'exc'}})) {
+ $reject = 1;
+ }
+ }
+ if (ref($trustconfig->{$prefix}->{'inc'}) eq 'ARRAY') {
+ if (grep(/^\Q$clientintdom\E$/,@{$trustconfig->{$prefix}->{'inc'}})) {
+ $reject = 0;
+ } else {
+ $reject = 1;
+ }
+ }
+ if ($reject) {
+ $prohibited{$prefix} = 1;
+ }
+ }
+ }
}
- return;
+ return %prohibited;
}
sub distro_and_arch {
@@ -8268,7 +8318,7 @@ Allow for a password to be set.
Make a user.
-=item passwd
+=item changeuserauth
Allow for authentication mechanism and password to be changed.
@@ -8357,6 +8407,10 @@ for each student, defined perhaps by the
Returns usernames corresponding to IDs. (These "IDs" are unique identifiers
for each student, defined perhaps by the institutional Registrar.)
+=item iddel
+
+Deletes one or more ids in a domain's id database.
+
=item tmpput
Accept and store information in temporary space.
@@ -8413,6 +8467,8 @@ Authen::Krb5
=head1 COREQUISITES
+none
+
=head1 OSNAMES
linux
@@ -8500,9 +8556,9 @@ or the CA's certificate in the call to l
<error> is the textual reason this failed. Usual reasons:
=over 2
-
+
=item Apache config file for loncapa incorrect:
-
+
one of the variables
lonCertificateDirectory, lonnetCertificateAuthority, or lonnetCertificate
undefined or incorrect
@@ -8621,7 +8677,7 @@ Could not rewrite the
internal password file for a user
=item Result of password change for <user> : <result>
-
+
A unix password change for <user> was attempted
and the pipe returned <result>
@@ -8650,7 +8706,7 @@ lond has been asked to exit by its clien
client systemand <input> is the full exit command sent to the server.
=item Red CRITICAL: ABNORMAL EXIT. child <pid> for server <hostname> died through a crass with this error->[<message>].
-
+
A lond child terminated. NOte that this termination can also occur when the
child receives the QUIT or DIE signals. <pid> is the process id of the child,
<hostname> the host lond is working for, and <message> the reason the child died
@@ -8734,7 +8790,7 @@ file when sent it's USR1 signal. That p
assumed to be hung in some un-fixable way.
=item Finished checking children
-
+
Master processs's USR1 processing is cojmplete.
=item (Red) CRITICAL: ------- Starting ------
@@ -8748,7 +8804,7 @@ Started a new child process for <client>
connected to the child. This was as a result of a TCP/IP connection from a client.
=item Unable to determine who caller was, getpeername returned nothing
-
+
In child process initialization. either getpeername returned undef or
a zero sized object was returned. Processing continues, but in my opinion,
this should be cause for the child to exit.
@@ -8759,7 +8815,7 @@ In child process initialization. The pe
The client address is stored as "Unavailable" and processing continues.
=item (Yellow) INFO: Connection <ip> <name> connection type = <type>
-
+
In child initialization. A good connectionw as received from <ip>.
=over 2
@@ -8809,7 +8865,7 @@ The client (<client> is the peer's name
negotiated an SSL connection with this child process.
=item (Green) Successful insecure authentication with <client>
-
+
The client has successfully negotiated an insecure connection withthe child process.