--- loncom/LondConnection.pm 2004/09/21 10:51:42 1.35 +++ loncom/LondConnection.pm 2018/07/29 03:03:36 1.56 @@ -1,7 +1,7 @@ # This module defines and implements a class that represents # a connection to a lond daemon. # -# $Id: LondConnection.pm,v 1.35 2004/09/21 10:51:42 foxr Exp $ +# $Id: LondConnection.pm,v 1.56 2018/07/29 03:03:36 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -40,12 +40,11 @@ use LONCAPA::lonlocal; use LONCAPA::lonssl; - - my $DebugLevel=0; -my %hostshash; my %perlvar; -my $LocalDns = ""; # Need not be defined for managers. +my %secureconf; +my %badcerts; +my %hosttypes; my $InsecureOk; # @@ -71,67 +70,21 @@ sub ReadConfig { my $perlvarref = read_conf('loncapa.conf'); %perlvar = %{$perlvarref}; - my $hoststab = read_hosts( - "$perlvar{lonTabDir}/hosts.tab") || - die "Can't read host table!!"; - %hostshash = %{$hoststab}; $ConfigRead = 1; - - my $myLonCapaName = $perlvar{lonHostID}; - Debug(8, "My loncapa name is $myLonCapaName"); - - if(defined $hostshash{$myLonCapaName}) { - Debug(8, "My loncapa name is in hosthash"); - my @ConfigLine = @{$hostshash{$myLonCapaName}}; - $LocalDns = $ConfigLine[3]; - Debug(8, "Got local name $LocalDns"); - } - $InsecureOk = $perlvar{loncAllowInsecure}; - - Debug(3, "ReadConfig - LocalDNS = $LocalDns"); -} -# -# Read a foreign configuration. -# This sub is intended for the cases where the package -# will be read from outside the LonCAPA environment, in that case -# the client will need to explicitly provide: -# - A file in hosts.tab format. -# - Some idea of the 'lonCAPA' name of the local host (for building -# the encryption key). -# -# Parameters: -# MyHost - Name of this host as far as LonCAPA is concerned. -# Filename - Name of a hosts.tab formatted file that will be used -# to build up the hosts table. -# -sub ReadForeignConfig { - - my ($MyHost, $Filename) = @_; - - &Debug(4, "ReadForeignConfig $MyHost $Filename\n"); + $InsecureOk = $perlvar{loncAllowInsecure}; - $perlvar{lonHostID} = $MyHost; # Rmember my host. - my $hosttab = read_hosts($Filename) || - die "Can't read hosts table!!"; - %hostshash = %{$hosttab}; - if($DebugLevel > 3) { - foreach my $host (keys %hostshash) { - print STDERR "host $host => $hostshash{$host}\n"; - } + unless (lonssl::Read_Connect_Config(\%secureconf,\%perlvar) eq 'ok') { + Debug(1,"Failed to retrieve secureconf hash.\n"); } - $ConfigRead = 1; - - my $myLonCapaName = $perlvar{lonHostID}; - - if(defined $hostshash{$myLonCapaName}) { - my @ConfigLine = @{$hostshash{$myLonCapaName}}; - $LocalDns = $ConfigLine[3]; + unless (lonssl::Read_Host_Types(\%hosttypes,\%perlvar) eq 'ok') { + Debug(1,"Failed to retrieve hosttypes hash.\n"); } - $InsecureOk = $perlvar{loncAllowInsecure}; - - Debug(3, "ReadForeignConfig - LocalDNS = $LocalDns"); + undef(%badcerts); +} +sub ResetReadConfig { + $ConfigRead = 0; } sub Debug { @@ -157,7 +110,7 @@ sub Dump { my $now = time; my $local = localtime($now); - if ($level <= $DebugLevel) { + if ($level >= $DebugLevel) { return; } @@ -165,6 +118,7 @@ sub Dump { my $key; my $value; print STDERR "[ $local ] Dumping LondConnectionObject:\n"; + print STDERR join(':',caller(1))."\n"; while(($key, $value) = each %$self) { print STDERR "$key -> $value\n"; } @@ -212,14 +166,28 @@ host the remote lond is on. This host is =cut sub new { - - my ($class, $Hostname, $Port) = @_; + my ($class, $DnsName, $Port, $lonid) = @_; if (!$ConfigRead) { ReadConfig(); $ConfigRead = 1; } - &Debug(4,$class."::new( ".$Hostname.",".$Port.")\n"); + &Debug(4,$class."::new( ".$DnsName.",".$Port.",".$lonid.")\n"); + + my ($conntype,$gotconninfo,$allowinsecure); + if ((ref($secureconf{'connto'}) eq 'HASH') && + (exists($hosttypes{$lonid}))) { + $conntype = $secureconf{'connto'}{$hosttypes{$lonid}}; + if ($conntype ne '') { + if ($conntype ne 'req') { + $allowinsecure = 1; + } + $gotconninfo = 1; + } + } + unless ($gotconninfo) { + $allowinsecure = $InsecureOk; + } # The host must map to an entry in the hosts table: # We connect to the dns host that corresponds to that @@ -227,21 +195,19 @@ sub new { # negotion. In the objec these become the Host and # LoncapaHim fields of the object respectively. # - if (!exists $hostshash{$Hostname}) { - &Debug(8, "No Such host $Hostname"); - return undef; # No such host!!! - } - my @ConfigLine = @{$hostshash{$Hostname}}; - my $DnsName = $ConfigLine[3]; # 4'th item is dns of host. - Debug(5, "Connecting to ".$DnsName); + # if it is me use loopback for connection + if ($DnsName eq &main::my_hostname()) { $DnsName="127.0.0.1"; } + Debug(9, "Connecting to $DnsName"); # Now create the object... my $self = { Host => $DnsName, - LoncapaHim => $Hostname, + LoncapaHim => $lonid, Port => $Port, State => "Initialized", AuthenticationMode => "", + InsecureOK => $allowinsecure, TransactionRequest => "", TransactionReply => "", + NextRequest => "", InformReadable => 0, InformWritable => 0, TimeoutCallback => undef, @@ -252,23 +218,25 @@ sub new { LocalKeyFile => "", CipherKey => "", LondVersion => "Unknown", - Cipher => undef}; + Cipher => undef, + ClientData => undef}; bless($self, $class); unless ($self->{Socket} = IO::Socket::INET->new(PeerHost => $self->{Host}, PeerPort => $self->{Port}, Type => SOCK_STREAM, Proto => "tcp", Timeout => 3)) { + Debug(8, "Error? \n$@ \n$!"); return undef; # Inidicates the socket could not be made. } my $socket = $self->{Socket}; # For local use only. + $socket->sockopt(SO_KEEPALIVE, 1); # Turn on keepalive probes when idle. # If we are local, we'll first try local auth mode, otherwise, we'll try # the ssl auth mode: - Debug(8, "Connecting to $DnsName I am $LocalDns"); my $key; my $keyfile; - if ($DnsName eq $LocalDns) { + if ($DnsName eq '127.0.0.1') { $self->{AuthenticationMode} = "local"; ($key, $keyfile) = lonlocal::CreateKeyFile(); Debug(8, "Local key: $key, stored in $keyfile"); @@ -277,7 +245,15 @@ sub new { # allowed...else give up right away. if(!(defined $key) || !(defined $keyfile)) { - if($InsecureOk) { + my $canconnect = 0; + if (ref($secureconf{'connto'}) eq 'HASH') { + unless ($secureconf{'connto'}->{'dom'} eq 'req') { + $canconnect = 1; + } + } else { + $canconnect = $InsecureOk; + } + if ($canconnect) { $self->{AuthenticationMode} = "insecure"; $self->{TransactionRequest} = "init\n"; } @@ -293,8 +269,7 @@ sub new { return undef; } - } - else { + } else { # Remote peer: I'd like to do ssl, but if my host key or certificates # are not all installed, my only choice is insecure, if that's # allowed: @@ -302,19 +277,18 @@ sub new { my ($ca, $cert) = lonssl::CertificateFile; my $sslkeyfile = lonssl::KeyFile; - if((defined $ca) && (defined $cert) && (defined $sslkeyfile)) { - + if (($conntype ne 'no') && (defined($ca)) && (defined($cert)) && (defined($sslkeyfile)) && + (!exists($badcerts{$self->{LoncapaHim}}))) { $self->{AuthenticationMode} = "ssl"; - $self->{TransactionRequest} = "init:ssl\n"; + $self->{TransactionRequest} = "init:ssl:$perlvar{'lonVersion'}\n"; + } elsif ($self->{InsecureOK}) { + # Allowed to do insecure: + $self->{AuthenticationMode} = "insecure"; + $self->{TransactionRequest} = "init::$perlvar{'lonVersion'}\n"; } else { - if($InsecureOk) { # Allowed to do insecure: - $self->{AuthenticationMode} = "insecure"; - $self->{TransactionRequest} = "init\n"; - } - else { # Not allowed to do insecure... - $socket->close; - return undef; - } + # Not allowed to do insecure... + $socket->close; + return undef; } } @@ -329,7 +303,6 @@ sub new { # # Set socket to nonblocking I/O. # - my $socket = $self->{Socket}; my $flags = fcntl($socket, F_GETFL,0); if(!$flags) { $socket->close; @@ -405,6 +378,11 @@ sub Readable { $self->Transition("Disconnected"); return -1; } + # If we actually got data, reset the timeout. + + if (length $data) { + $self->{TimeoutRemaining} = $self->{TimeoutValue}; # getting data resets the timeout period. + } # Append the data to the buffer. And figure out if the read is done: &Debug(9,"Received from host: ".$data); @@ -457,7 +435,8 @@ sub Readable { } elsif ($ConnectionMode eq "ssl") { if($Response =~ /^ok:ssl/) { # Good ssl... - if($self->ExchangeKeysViaSSL()) { # Success skip to vsn stuff + my $sslresult = $self->ExchangeKeysViaSSL(); + if ($sslresult == 1) { # Success skip to vsn stuff # Need to reset to non blocking: my $flags = fcntl($socket, F_GETFL, 0); @@ -466,6 +445,9 @@ sub Readable { return 0; } else { # Failed in ssl exchange. + if (($sslresult == -1) && ($self->{InsecureOK})) { + $badcerts{$self->{LoncapaHim}} = 1; + } &Debug(3,"init:ssl failed key negotiation!"); $self->Transition("Disconnected"); $socket->close; @@ -504,7 +486,8 @@ sub Readable { return 0; } elsif ($self->{State} eq "ReadingVersionString") { - $self->{LondVersion} = chomp($self->{TransactionReply}); + chomp($self->{TransactionReply}); + $self->{LondVersion} = $self->{TransactionReply}; $self->Transition("SetHost"); $self->{InformReadable} = 0; $self->{InformWritable} = 1; @@ -557,11 +540,22 @@ sub Readable { $answer = $self->Decrypt($answer); $self->{TransactionReply} = "$answer\n"; } - + # if we have a NextRequest do it immeadiately + if ($self->{NextRequest}) { + $self->{TransactionRequest} = $self->{NextRequest}; + undef( $self->{NextRequest} ); + $self->{TransactionReply} = ""; + $self->{InformWritable} = 1; + $self->{InformReadable} = 0; + $self->{Timeoutable} = 1; + $self->Transition("SendingRequest"); + return 0; + } else { # finish the transaction - $self->ToIdle(); - return 0; + $self->ToIdle(); + return 0; + } } elsif ($self->{State} eq "Disconnected") { # No connection. return -1; } else { # Internal error: Invalid state. @@ -615,41 +609,42 @@ sub Writable { ($errno == POSIX::EAGAIN) || ($errno == POSIX::EINTR) || ($errno == 0)) { + $self->{TimeoutRemaining} = $self->{TimeoutValue}; substr($self->{TransactionRequest}, 0, $nwritten) = ""; # rmv written part - if(length $self->{TransactionRequest} == 0) { - $self->{InformWritable} = 0; - $self->{InformReadable} = 1; - $self->{TransactionReply} = ''; - # - # Figure out the next state: - # - if($self->{State} eq "Connected") { - $self->Transition("Initialized"); - } elsif($self->{State} eq "ChallengeReceived") { - $self->Transition("ChallengeReplied"); - } elsif($self->{State} eq "RequestingVersion") { - $self->Transition("ReadingVersionString"); - } elsif ($self->{State} eq "SetHost") { - $self->Transition("HostSet"); - } elsif($self->{State} eq "RequestingKey") { - $self->Transition("ReceivingKey"); + if(length $self->{TransactionRequest} == 0) { + $self->{InformWritable} = 0; + $self->{InformReadable} = 1; + $self->{TransactionReply} = ''; + # + # Figure out the next state: + # + if($self->{State} eq "Connected") { + $self->Transition("Initialized"); + } elsif($self->{State} eq "ChallengeReceived") { + $self->Transition("ChallengeReplied"); + } elsif($self->{State} eq "RequestingVersion") { + $self->Transition("ReadingVersionString"); + } elsif ($self->{State} eq "SetHost") { + $self->Transition("HostSet"); + } elsif($self->{State} eq "RequestingKey") { + $self->Transition("ReceivingKey"); # $self->{InformWritable} = 0; # $self->{InformReadable} = 1; # $self->{TransactionReply} = ''; - } elsif ($self->{State} eq "SendingRequest") { - $self->Transition("ReceivingReply"); - $self->{TimeoutRemaining} = $self->{TimeoutValue}; - } elsif ($self->{State} eq "Disconnected") { - return -1; - } - return 0; - } - } else { # The write failed (e.g. partner disconnected). - $self->Transition("Disconnected"); - $socket->close(); - return -1; - } - + } elsif ($self->{State} eq "SendingRequest") { + $self->Transition("ReceivingReply"); + $self->{TimeoutRemaining} = $self->{TimeoutValue}; + } elsif ($self->{State} eq "Disconnected") { + return -1; + } + return 0; + } + } else { # The write failed (e.g. partner disconnected). + $self->Transition("Disconnected"); + $socket->close(); + return -1; + } + } =pod @@ -713,14 +708,26 @@ sub InitiateTransaction { return -1; # Error indicator. } # if the transaction is to be encrypted encrypt the data: + (my $sethost, my $server,$data)=split(/:/,$data,3); if($data =~ /^encrypt\:/) { $data = $self->Encrypt($data); } # Setup the trasaction - - $self->{TransactionRequest} = $data; + # currently no version of lond supports inlining the sethost + if ($self->PeerVersion() <= 321) { + if ($server ne $self->{LoncapaHim}) { + $self->{NextRequest} = $data; + $self->{TransactionRequest} = "$sethost:$server\n"; + $self->{LoncapaHim} = $server; + } else { + $self->{TransactionRequest} = $data; + } + } else { + $self->{LoncapaHim} = $server; + $self->{TransactionRequest} = "$sethost:$server:$data"; + } $self->{TransactionReply} = ""; $self->{InformWritable} = 1; $self->{InformReadable} = 0; @@ -784,6 +791,7 @@ sub Shutdown { $socket->shutdown(2); } } + $self->{Timeoutable} = 0; # Shutdown sockets can't timeout. } =pod @@ -1034,6 +1042,7 @@ sub CreateCipher { sub ExchangeKeysViaSSL { my $self = shift; my $socket = $self->{Socket}; + my $peer = $self->{LoncapaHim}; # Get our signed certificate, the certificate authority's # certificate and our private key file. All of these @@ -1048,7 +1057,8 @@ sub ExchangeKeysViaSSL { my $SSLSocket = lonssl::PromoteClientSocket($socket, $SSLCACertificate, $SSLCertificate, - $SSLKey); + $SSLKey, + $peer); if(defined $SSLSocket) { my $key = <$SSLSocket>; lonssl::Close($SSLSocket); @@ -1064,7 +1074,7 @@ sub ExchangeKeysViaSSL { else { # Failed!! Debug(3, "Failed to negotiate SSL connection!"); - return 0; + return -1; } # should not get here return 0; @@ -1089,7 +1099,7 @@ sub ExchangeKeysViaSSL { # sub CompleteInsecure { my $self = shift; - if($InsecureOk) { + if ($self->{InsecureOK}) { $self->{AuthenticationMode} = "insecure"; &Debug(8," Transition out of Initialized:insecure"); $self->{TransactionRequest} = $self->{TransactionReply}; @@ -1109,31 +1119,6 @@ sub CompleteInsecure { } } -=pod - -=head2 GetHostIterator - -Returns a hash iterator to the host information. Each get from -this iterator returns a reference to an array that contains -information read from the hosts configuration file. Array elements -are used as follows: - - [0] - LonCapa host name. - [1] - LonCapa domain name. - [2] - Loncapa role (e.g. library or access). - [3] - DNS name server hostname. - [4] - IP address (result of e.g. nslookup [3]). - [5] - Maximum connection count. - [6] - Idle timeout for reducing connection count. - [7] - Minimum connection count. - -=cut - -sub GetHostIterator { - - return HashIterator->new(\%hostshash); -} - ########################################################### # # The following is an unashamed kludge that is here to @@ -1145,7 +1130,7 @@ sub GetHostIterator { # -my $confdir='/etc/httpd/conf/'; +my @confdirs=('/etc/httpd/conf/','/etc/apache2/'); # ------------------- Subroutine read_conf: read LON-CAPA server configuration. # This subroutine reads PerlSetVar values out of specified web server @@ -1153,25 +1138,33 @@ my $confdir='/etc/httpd/conf/'; sub read_conf { my (@conf_files)=@_; - my %perlvar; - foreach my $filename (@conf_files,'loncapa_apache.conf') - { - if($DebugLevel > 3) { - print STDERR ("Going to read $confdir.$filename\n"); - } - open(CONFIG,'<'.$confdir.$filename) or - die("Can't read $confdir$filename"); - while (my $configline=) - { - if ($configline =~ /^[^\#]*PerlSetVar/) - { - my ($unused,$varname,$varvalue)=split(/\s+/,$configline); + my (%perlvar,%configdirs); + foreach my $filename (@conf_files,'loncapa_apache.conf') { + my $configdir = ''; + $configdirs{$filename} = [@confdirs]; + while ($configdir eq '' && @{$configdirs{$filename}} > 0) { + my $testdir = shift(@{$configdirs{$filename}}); + if (-e $testdir.$filename) { + $configdir = $testdir; + } + } + if ($configdir eq '') { + die("Couldn't find a directory containing $filename"); + } + if($DebugLevel > 3) { + print STDERR ("Going to read $configdir.$filename\n"); + } + open(CONFIG,'<'.$configdir.$filename) or + die("Can't read $configdir$filename"); + while (my $configline=) { + if ($configline =~ /^[^\#]*PerlSetVar/) { + my ($unused,$varname,$varvalue)=split(/\s+/,$configline); chomp($varvalue); $perlvar{$varname}=$varvalue; - } - } + } + } close(CONFIG); - } + } if($DebugLevel > 3) { print STDERR "Dumping perlvar:\n"; foreach my $var (keys %perlvar) { @@ -1182,44 +1175,6 @@ sub read_conf return $perlvarref; } -#---------------------- Subroutine read_hosts: Read a LON-CAPA hosts.tab -# formatted configuration file. -# -my $RequiredCount = 5; # Required item count in hosts.tab. -my $DefaultMaxCon = 5; # Default value for maximum connections. -my $DefaultIdle = 1000; # Default connection idle time in seconds. -my $DefaultMinCon = 0; # Default value for minimum connections. - -sub read_hosts { - my $Filename = shift; - my %HostsTab; - - open(CONFIG,'<'.$Filename) or die("Can't read $Filename"); - while (my $line = ) { - if (!($line =~ /^\s*\#/)) { - my @items = split(/:/, $line); - if(scalar @items >= $RequiredCount) { - if (scalar @items == $RequiredCount) { # Only required items: - $items[$RequiredCount] = $DefaultMaxCon; - } - if(scalar @items == $RequiredCount + 1) { # up through maxcon. - $items[$RequiredCount+1] = $DefaultIdle; - } - if(scalar @items == $RequiredCount + 2) { # up through idle. - $items[$RequiredCount+2] = $DefaultMinCon; - } - { - my @list = @items; # probably not needed but I'm unsure of - # about the scope of item so... - $HostsTab{$list[0]} = \@list; - } - } - } - } - close(CONFIG); - my $hostref = \%HostsTab; - return ($hostref); -} # # Get the version of our peer. Note that this is only well # defined if the state machine has hit the idle state at least @@ -1228,8 +1183,32 @@ sub read_hosts { # sub PeerVersion { my $self = shift; - - return $self->{LondVersion}; + my ($version) = ($self->{LondVersion} =~ /Revision: 1\.(\d+)/); + return $version; +} + +# +# Manipulate the client data field +# +sub SetClientData { + my ($self, $newData) = @_; + $self->{ClientData} = $newData; +} +# +# Get the current client data field. +# +sub GetClientData { + my $self = shift; + return $self->{ClientData}; +} + +# +# Get the HostID of our peer +# + +sub PeerLoncapaHim { + my $self = shift; + return $self->{LoncapaHim}; } 1; @@ -1425,8 +1404,4 @@ true if the current state requires a wri true if the current state requires timeout support. -=item GetHostIterator: - -Returns an iterator into the host file hash. - =cut