--- loncom/lonnet/perl/lonnet.pm 2020/10/22 19:23:23 1.1431
+++ loncom/lonnet/perl/lonnet.pm 2021/02/01 00:20:56 1.1440
@@ -1,7 +1,7 @@
# The LearningOnline Network
# TCP networking package
#
-# $Id: lonnet.pm,v 1.1431 2020/10/22 19:23:23 raeburn Exp $
+# $Id: lonnet.pm,v 1.1440 2021/02/01 00:20:56 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -96,6 +96,7 @@ use Cache::Memcached;
use Digest::MD5;
use Math::Random;
use File::MMagic;
+use Net::CIDR;
use LONCAPA qw(:DEFAULT :match);
use LONCAPA::Configuration;
use LONCAPA::lonmetadata;
@@ -128,12 +129,13 @@ our @EXPORT = qw(%env);
$logid ++;
my $now = time();
my $id=$now.'00000'.$$.'00000'.$logid;
+ my $ip = &get_requestor_ip();
my $logentry = {
$id => {
'exe_uname' => $env{'user.name'},
'exe_udom' => $env{'user.domain'},
'exe_time' => $now,
- 'exe_ip' => $ENV{'REMOTE_ADDR'},
+ 'exe_ip' => $ip,
'delflag' => $delflag,
'logentry' => $storehash,
'uname' => $uname,
@@ -1443,6 +1445,15 @@ sub spare_can_host {
$canhost = 0;
}
}
+ if ($canhost) {
+ if (ref($defdomdefaults{'offloadoth'}) eq 'HASH') {
+ if ($defdomdefaults{'offloadoth'}{$try_server}) {
+ unless (&shared_institution($udom,$try_server)) {
+ $canhost = 0;
+ }
+ }
+ }
+ }
if (($canhost) && ($uint_dom)) {
my @intdoms;
my $internet_names = &get_internet_names($try_server);
@@ -2594,7 +2605,7 @@ sub get_domain_defaults {
'coursedefaults','usersessions',
'requestauthor','selfenrollment',
'coursecategories','ssl','autoenroll',
- 'trust','helpsettings'],$domain);
+ 'trust','helpsettings','wafproxy'],$domain);
my @coursetypes = ('official','unofficial','community','textbook','placement');
if (ref($domconfig{'defaults'}) eq 'HASH') {
$domdefaults{'lang_def'} = $domconfig{'defaults'}{'lang_def'};
@@ -2687,6 +2698,9 @@ sub get_domain_defaults {
if (ref($domconfig{'usersessions'}{'offloadnow'}) eq 'HASH') {
$domdefaults{'offloadnow'} = $domconfig{'usersessions'}{'offloadnow'};
}
+ if (ref($domconfig{'usersessions'}{'offloadoth'}) eq 'HASH') {
+ $domdefaults{'offloadoth'} = $domconfig{'usersessions'}{'offloadoth'};
+ }
}
if (ref($domconfig{'selfenrollment'}) eq 'HASH') {
if (ref($domconfig{'selfenrollment'}{'admin'}) eq 'HASH') {
@@ -2754,6 +2768,13 @@ sub get_domain_defaults {
$domdefaults{'adhocroles'} = $domconfig{'helpsettings'}{'adhoc'};
}
}
+ if (ref($domconfig{'wafproxy'}) eq 'HASH') {
+ foreach my $item ('ipheader','trusted','vpnint','vpnext') {
+ if ($domconfig{'wafproxy'}{$item}) {
+ $domdefaults{'waf_'.$item} = $domconfig{'wafproxy'}{$item};
+ }
+ }
+ }
&do_cache_new('domdefaults',$domain,\%domdefaults,$cachetime);
return %domdefaults;
}
@@ -5014,7 +5035,11 @@ sub courseacclog {
if ($formitem =~ /^HWFILE(?:SIZE|TOOBIG)/) {
$what.=':'.$formitem.'='.$env{$key};
} elsif ($formitem !~ /^HWFILE(?:[^.]+)$/) {
- $what.=':'.$formitem.'='.$env{$key};
+ if ($formitem eq 'proctorpassword') {
+ $what.=':'.$formitem.'=' . '*' x length($env{$key});
+ } else {
+ $what.=':'.$formitem.'='.$env{$key};
+ }
}
}
}
@@ -6096,7 +6121,7 @@ sub tmpreset {
if (!$domain) { $domain=$env{'user.domain'}; }
if (!$stuname) { $stuname=$env{'user.name'}; }
if ($domain eq 'public' && $stuname eq 'public') {
- $stuname=$ENV{'REMOTE_ADDR'};
+ $stuname=&get_requestor_ip();
}
my $path=LONCAPA::tempdir();
my %hash;
@@ -6133,7 +6158,7 @@ sub tmpstore {
if (!$domain) { $domain=$env{'user.domain'}; }
if (!$stuname) { $stuname=$env{'user.name'}; }
if ($domain eq 'public' && $stuname eq 'public') {
- $stuname=$ENV{'REMOTE_ADDR'};
+ $stuname=&get_requestor_ip();
}
my $now=time;
my %hash;
@@ -6177,7 +6202,7 @@ sub tmprestore {
if (!$domain) { $domain=$env{'user.domain'}; }
if (!$stuname) { $stuname=$env{'user.name'}; }
if ($domain eq 'public' && $stuname eq 'public') {
- $stuname=$ENV{'REMOTE_ADDR'};
+ $stuname=&get_requestor_ip();
}
my %returnhash;
$namespace=~s/\//\_/g;
@@ -6233,7 +6258,7 @@ sub store {
}
if (!$home) { $home=$env{'user.home'}; }
- $$storehash{'ip'}=$ENV{'REMOTE_ADDR'};
+ $$storehash{'ip'}=&get_requestor_ip();
$$storehash{'host'}=$perlvar{'lonHostID'};
my $namevalue='';
@@ -6269,7 +6294,7 @@ sub cstore {
}
if (!$home) { $home=$env{'user.home'}; }
- $$storehash{'ip'}=$ENV{'REMOTE_ADDR'};
+ $$storehash{'ip'}=&get_requestor_ip();
$$storehash{'host'}=$perlvar{'lonHostID'};
my $namevalue='';
@@ -7264,7 +7289,8 @@ sub putstore {
foreach my $key (keys(%{$storehash})) {
$namevalue.=&escape($key).'='.&freeze_escape($storehash->{$key}).'&';
}
- $namevalue .= 'ip='.&escape($ENV{'REMOTE_ADDR'}).
+ my $ip = &get_requestor_ip();
+ $namevalue .= 'ip='.&escape($ip).
'&host='.&escape($perlvar{'lonHostID'}).
'&version='.$esc_v.
'&by='.&escape($env{'user.name'}.':'.$env{'user.domain'});
@@ -8068,7 +8094,7 @@ sub allowed {
if (defined($env{'allowed.'.$priv})) { return $env{'allowed.'.$priv}; }
# Free bre access to adm and meta resources
- if (((($uri=~/^adm\//) && ($uri !~ m{/(?:smppg|bulletinboard|ext\.tool)$}))
+ if (((($uri=~/^adm\//) && ($uri !~ m{/(?:smppg|bulletinboard|viewclasslist|aboutme|ext\.tool)$}))
|| (($uri=~/\.meta$/) && ($uri!~m|^uploaded/|) ))
&& ($priv eq 'bre')) {
return 'F';
@@ -10311,13 +10337,14 @@ sub modifyuserauth {
' in domain '.$env{'request.role.domain'});
my $reply=&reply('encrypt:changeuserauth:'.$udom.':'.$uname.':'.$umode.':'.
&escape($upass),$uhome);
+ my $ip = &get_requestor_ip();
&log($env{'user.domain'},$env{'user.name'},$env{'user.home'},
'Authentication changed for '.$udom.', '.$uname.', '.$umode.
- '(Remote '.$ENV{'REMOTE_ADDR'}.'): '.$reply);
+ '(Remote '.$ip.'): '.$reply);
&log($udom,,$uname,$uhome,
'Authentication changed by '.$env{'user.domain'}.', '.
$env{'user.name'}.', '.$umode.
- '(Remote '.$ENV{'REMOTE_ADDR'}.'): '.$reply);
+ '(Remote '.$ip.'): '.$reply);
unless ($reply eq 'ok') {
&logthis('Authentication mode error: '.$reply);
return 'error: '.$reply;
@@ -10843,7 +10870,7 @@ sub store_userdata {
if (($uhome eq '') || ($uhome eq 'no_host')) {
$result = 'error: no_host';
} else {
- $storehash->{'ip'} = $ENV{'REMOTE_ADDR'};
+ $storehash->{'ip'} = &get_requestor_ip();
$storehash->{'host'} = $perlvar{'lonHostID'};
my $namevalue='';
@@ -14202,9 +14229,12 @@ sub default_login_domain {
}
sub shared_institution {
- my ($dom) = @_;
+ my ($dom,$lonhost) = @_;
+ if ($lonhost eq '') {
+ $lonhost = $perlvar{'lonHostID'};
+ }
my $same_intdom;
- my $hostintdom = &internet_dom($perlvar{'lonHostID'});
+ my $hostintdom = &internet_dom($lonhost);
if ($hostintdom ne '') {
my %iphost = &get_iphost();
my $primary_id = &domain($dom,'primary');
@@ -14258,6 +14288,101 @@ sub uses_sts {
}
}
return;
+}
+
+sub get_requestor_ip {
+ my ($r,$nolookup,$noproxy) = @_;
+ my $from_ip;
+ if (ref($r)) {
+ $from_ip = $r->get_remote_host($nolookup);
+ } else {
+ $from_ip = $ENV{'REMOTE_ADDR'};
+ }
+ return $from_ip if ($noproxy);
+ # Who controls proxy settings for server
+ my $dom_in_use = $Apache::lonnet::perlvar{'lonDefDomain'};
+ my $proxyinfo = &get_proxy_settings($dom_in_use);
+ if ((ref($proxyinfo) eq 'HASH') && ($from_ip)) {
+ if ($proxyinfo->{'vpnint'}) {
+ if (&ip_match($from_ip,$proxyinfo->{'vpnint'})) {
+ return $from_ip;
+ }
+ }
+ if ($proxyinfo->{'trusted'}) {
+ if (&ip_match($from_ip,$proxyinfo->{'trusted'})) {
+ my $ipheader = $proxyinfo->{'ipheader'};
+ my ($ip,$xfor);
+ if (ref($r)) {
+ if ($ipheader) {
+ $ip = $r->headers_in->{$ipheader};
+ }
+ $xfor = $r->headers_in->{'X-Forwarded-For'};
+ } else {
+ if ($ipheader) {
+ $ip = $ENV{'HTTP_'.uc($ipheader)};
+ }
+ $xfor = $ENV{'HTTP_X_FORWARDED_FOR'};
+ }
+ if (($ip eq '') && ($xfor ne '')) {
+ foreach my $poss_ip (reverse(split(/\s*,\s*/,$xfor))) {
+ unless (&ip_match($poss_ip,$proxyinfo->{'trusted'})) {
+ $ip = $poss_ip;
+ last;
+ }
+ }
+ }
+ if ($ip ne '') {
+ return $ip;
+ }
+ }
+ }
+ }
+ return $from_ip;
+}
+
+sub get_proxy_settings {
+ my ($dom_in_use) = @_;
+ my %domdefaults = &Apache::lonnet::get_domain_defaults($dom_in_use);
+ my $proxyinfo = {
+ ipheader => $domdefaults{'waf_ipheader'},
+ trusted => $domdefaults{'waf_trusted'},
+ vpnint => $domdefaults{'waf_vpnint'},
+ vpnext => $domdefaults{'waf_vpnext'},
+ };
+ return $proxyinfo;
+}
+
+sub ip_match {
+ my ($ip,$pattern_str) = @_;
+ $ip=Net::CIDR::cidrvalidate($ip);
+ if ($ip) {
+ return Net::CIDR::cidrlookup($ip,split(/\s*,\s*/,$pattern_str));
+ }
+ return;
+}
+
+sub get_proxy_alias {
+ my $lonhost = $perlvar{'lonHostID'};
+ if ($lonhost ne '') {
+ my ($alias,$cached) = &is_cached_new('proxyalias',$lonhost);
+ if ($cached) {
+ return $alias;
+ }
+ my $dom = &Apache::lonnet::host_domain($lonhost);
+ if ($dom ne '') {
+ my $cachetime = 60*60*24;
+ my %domconfig =
+ &Apache::lonnet::get_dom('configuration',['wafproxy'],$dom);
+ my $alias;
+ if (ref($domconfig{'wafproxy'}) eq 'HASH') {
+ if (ref($domconfig{'wafproxy'}{'alias'}) eq 'HASH') {
+ $alias = $domconfig{'wafproxy'}{'alias'}{$lonhost};
+ }
+ }
+ return &do_cache_new('proxyalias',$lonhost,$alias,$cachetime);
+ }
+ }
+ return;
}
# ------------------------------------------------------------- Declutters URLs