--- loncom/lond 2017/02/28 05:42:06 1.532 +++ loncom/lond 2017/03/20 13:53:22 1.535 @@ -2,7 +2,7 @@ # The LearningOnline Network # lond "LON Daemon" Server (port "LOND" 5663) # -# $Id: lond,v 1.532 2017/02/28 05:42:06 raeburn Exp $ +# $Id: lond,v 1.535 2017/03/20 13:53:22 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -65,7 +65,7 @@ my $DEBUG = 0; # Non zero to ena my $status=''; my $lastlog=''; -my $VERSION='$Revision: 1.532 $'; #' stupid emacs +my $VERSION='$Revision: 1.535 $'; #' stupid emacs my $remoteVERSION; my $currenthostid="default"; my $currentdomainid; @@ -265,6 +265,17 @@ my %trust = ( putstore => {remote => 1, enroll => 1}, queryreply => {anywhere => 1}, querysend => {anywhere => 1}, + querysend_activitylog => {remote => 1}, + querysend_allusers => {remote => 1, domroles => 1}, + querysend_courselog => {remote => 1}, + querysend_fetchenrollment => {remote => 1}, + querysend_getinstuser => {remote => 1}, + querysend_getmultinstusers => {remote => 1}, + querysend_instdirsearch => {remote => 1, domroles => 1, coaurem => 1}, + querysend_institutionalphotos => {remote => 1}, + querysend_portfolio_metadata => {remote => 1, content => 1}, + querysend_userlog => {remote => 1, domroles => 1}, + querysend_usersearch => {remote => 1, enroll => 1, coaurem => 1}, quit => {anywhere => 1}, readlonnetglobal => {institutiononly => 1}, reinit => {manageronly => 1}, #not used currently @@ -2323,12 +2334,8 @@ sub hash_passwd { my $plainsalt = substr($rest[1],0,22); $salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt); } else { - my $defaultcost; - my %domconfig = - &Apache::lonnet::get_dom('configuration',['password'],$domain); - if (ref($domconfig{'password'}) eq 'HASH') { - $defaultcost = $domconfig{'password'}{'cost'}; - } + my %domdefaults = &Apache::lonnet::get_domain_defaults($domain); + my $defaultcost = $domdefaults{'intauth_cost'}; if (($defaultcost eq '') || ($defaultcost =~ /D/)) { $cost = 10; } else { @@ -3958,7 +3965,7 @@ sub retrieve_chat_handler { # serviced. # # Parameters: -# $cmd - COmmand keyword that initiated the request. +# $cmd - Command keyword that initiated the request. # $tail - Remainder of the command after the keyword. # For this function, this consists of a query and # 3 arguments that are self-documentingly labelled @@ -3972,11 +3979,41 @@ sub retrieve_chat_handler { sub send_query_handler { my ($cmd, $tail, $client) = @_; - my $userinput = "$cmd:$tail"; my ($query,$arg1,$arg2,$arg3)=split(/\:/,$tail); $query=~s/\n*$//g; + if (($query eq 'usersearch') || ($query eq 'instdirsearch')) { + my $usersearchconf = &get_usersearch_config($currentdomainid,'directorysrch'); + my $earlyout; + if (ref($usersearchconf) eq 'HASH') { + if ($currentdomainid eq $clienthomedom) { + if ($query eq 'usersearch') { + if ($usersearchconf->{'lcavailable'} eq '0') { + $earlyout = 1; + } + } else { + if ($usersearchconf->{'available'} eq '0') { + $earlyout = 1; + } + } + } else { + if ($query eq 'usersearch') { + if ($usersearchconf->{'lclocalonly'}) { + $earlyout = 1; + } + } else { + if ($usersearchconf->{'localonly'}) { + $earlyout = 1; + } + } + } + } + if ($earlyout) { + &Reply($client, "query_not_authorized\n"); + return 1; + } + } &Reply($client, "". &sql_reply("$clientname\&$query". "\&$arg1"."\&$arg2"."\&$arg3")."\n", $userinput); @@ -6515,6 +6552,18 @@ sub process_request { $ok = 0; } if ($ok) { + my $realcommand = $command; + if ($command eq 'querysend') { + my ($query,$rest)=split(/\:/,$tail,2); + $query=~s/\n*$//g; + my @possqueries = + qw(userlog courselog fetchenrollment institutionalphotos usersearch instdirsearch getinstuser getmultinstusers); + if (grep(/^\Q$query\E$/,@possqueries)) { + $command .= '_'.$query; + } elsif ($query eq 'prepare activity log') { + $command .= '_activitylog'; + } + } if (ref($trust{$command}) eq 'HASH') { my $donechecks; if ($trust{$command}{'anywhere'}) { @@ -6556,6 +6605,7 @@ sub process_request { } } } + $command = $realcommand; } if($ok) { @@ -7372,7 +7422,6 @@ sub make_new_child { ."Attempted insecure connection disallowed "); close $client; $clientok = 0; - } } } else { @@ -7381,7 +7430,6 @@ sub make_new_child { ."$clientip failed to initialize: >$remotereq< "); &status('No init '.$clientip); } - } else { &logthis( "WARNING: Unknown client $clientip"); @@ -7618,15 +7666,25 @@ sub password_filename { # domain - domain of the user. # name - User's name. # contents - New contents of the file. +# saveold - (optional). If true save old file in a passwd.bak file. # Returns: # 0 - Failed. # 1 - Success. # sub rewrite_password_file { - my ($domain, $user, $contents) = @_; + my ($domain, $user, $contents, $saveold) = @_; my $file = &password_filename($domain, $user); if (defined $file) { + if ($saveold) { + my $bakfile = $file.'.bak'; + if (CopyFile($file,$bakfile)) { + chmod(0400,$bakfile); + &logthis("Old password saved in passwd.bak for internally authenticated user: $user:$domain"); + } else { + &logthis("Failed to save old password in passwd.bak for internally authenticated user: $user:$domain"); + } + } my $pf = IO::File->new(">$file"); if($pf) { print $pf "$contents\n"; @@ -7717,20 +7775,27 @@ sub validate_user { $contentpwd = $domdefaults{'auth_arg_def'}; } } - } + } if ($howpwd ne 'nouser') { if($howpwd eq "internal") { # Encrypted is in local password file. if (length($contentpwd) == 13) { $validated = (crypt($password,$contentpwd) eq $contentpwd); if ($validated) { - my $ncpass = &hash_passwd($domain,$password); - if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass")) { - &update_passwd_history($user,$domain,$howpwd,'conversion'); - &logthis("Validated password hashed with bcrypt for $user:$domain"); + my %domdefaults = &Apache::lonnet::get_domain_defaults($domain); + if ($domdefaults{'intauth_switch'}) { + my $ncpass = &hash_passwd($domain,$password); + my $saveold; + if ($domdefaults{'intauth_switch'} == 2) { + $saveold = 1; + } + if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass",$saveold)) { + &update_passwd_history($user,$domain,$howpwd,'conversion'); + &logthis("Validated password hashed with bcrypt for $user:$domain"); + } } } } else { - $validated = &check_internal_passwd($password,$contentpwd,$domain); + $validated = &check_internal_passwd($password,$contentpwd,$domain,$user); } } elsif ($howpwd eq "unix") { # User is a normal unix user. @@ -7800,24 +7865,35 @@ sub validate_user { } sub check_internal_passwd { - my ($plainpass,$stored,$domain) = @_; + my ($plainpass,$stored,$domain,$user) = @_; my (undef,$method,@rest) = split(/!/,$stored); - if ($method eq "bcrypt") { + if ($method eq 'bcrypt') { my $result = &hash_passwd($domain,$plainpass,@rest); if ($result ne $stored) { return 0; } - # Upgrade to a larger number of rounds if necessary - my $defaultcost; - my %domconfig = - &Apache::lonnet::get_dom('configuration',['password'],$domain); - if (ref($domconfig{'password'}) eq 'HASH') { - $defaultcost = $domconfig{'password'}{'cost'}; - } - if (($defaultcost eq '') || ($defaultcost =~ /D/)) { - $defaultcost = 10; + my %domdefaults = &Apache::lonnet::get_domain_defaults($domain); + if ($domdefaults{'intauth_check'}) { + # Upgrade to a larger number of rounds if necessary + my $defaultcost = $domdefaults{'intauth_cost'}; + if (($defaultcost eq '') || ($defaultcost =~ /D/)) { + $defaultcost = 10; + } + if (int($rest[0])