--- loncom/auth/lonauth.pm 2000/06/29 20:43:03 1.8 +++ loncom/auth/lonauth.pm 2008/05/30 19:09:50 1.92 @@ -1,159 +1,213 @@ # The LearningOnline Network # User Authentication Module -# 5/21/99,5/22,5/25,5/26,5/27,5/29,6/2,6/11,6/14,6/15 -# 16/11,12/16, -# 1/14,2/24,2/28,2/29,3/7,5/29,5/30,5/31,6/1,6/5,6/29 Gerd Kortemeyer +# +# $Id: lonauth.pm,v 1.92 2008/05/30 19:09:50 bisitz Exp $ +# +# Copyright Michigan State University Board of Trustees +# +# This file is part of the LearningOnline Network with CAPA (LON-CAPA). +# +# LON-CAPA is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# LON-CAPA is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with LON-CAPA; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# /home/httpd/html/adm/gpl.txt +# +# http://www.lon-capa.org/ +# package Apache::lonauth; +use strict; +use LONCAPA; use Apache::Constants qw(:common); -use Apache::File; use CGI qw(:standard); -use CGI::Cookie(); +use DynaLoader; # for Crypt::DES version use Crypt::DES; -use Apache::lonnet(); - +use Apache::loncommon(); +use Apache::lonnet; +use Apache::lonmenu(); +use Apache::createaccount; +use Fcntl qw(:flock); +use Apache::lonlocal; + # ------------------------------------------------------------ Successful login - sub success { - my ($r, $username, $domain, $authhost,$lowerurl) = @_; - my $lonids=$r->dir_config('lonIDsDir'); + my ($r, $username, $domain, $authhost, $lowerurl, $extra_env, + $form) = @_; + +# ------------------------------------------------------------ Get cookie ready + my $cookie = + &Apache::loncommon::init_user_environment($r, $username, $domain, + $authhost, $form, + {'extra_env' => $extra_env,}); + + my $public=($username eq 'public' && $domain eq 'public'); + + if ($public or $lowerurl eq 'noredirect') { return $cookie; } -# See if old ID present, if so, remove - my $cookie; - while ($cookie=<$lonids/$username\_*\_$domain\_$authhost.id>) { - unlink($cookie); - } - -# Give them a new cookie - - my $now=time; - $cookie="$username\_$now\_$domain\_$authhost"; - -# Initialize roles - - my $userroles=Apache::lonnet::rolesinit($domain,$username,$authhost); - -# ------------------------------------ Check browser type and MathML capability - - my @browsertype=split(/\&/,$r->dir_config("lonBrowsDet")); - my %mathcap=split(/\&/,$r->dir_config("lonMathML")); - my $httpbrowser=$ENV{"HTTP_USER_AGENT"}; - my $i; - my $clientbrowser='unknown'; - my $clientversion='0'; - my $clientmathml=''; - for ($i=0;$i<=$#browsertype;$i++) { - my ($bname,$match,$notmatch,$vreg,$minv)=split(/\:/,$browsertype[$i]); - if (($httpbrowser=~/$match/i) && ($httpbrowser!~/$notmatch/i)) { - $clientbrowser=$bname; - $httpbrowser=~/$vreg/i; - $clientversion=$1; - $clientmathml=($clientversion>=$minv); - } - } - my $clientos='unknown'; - if (($httpbrowser=~/linux/i) || - ($httpbrowser=~/unix/i) || - ($httpbrowser=~/ux/i) || - ($httpbrowser=~/solaris/i)) { $clientos='unix'; } - if (($httpbrowser=~/vax/i) || - ($httpbrowser=~/vms/i)) { $clientos='vms'; } - if ($httpbrowser=~/next/i) { $clientos='next'; } - if (($httpbrowser=~/mac/i) || - ($httpbrowser=~/powerpc/i)) { $clientos='mac'; } - if ($httpbrowser=~/win/) { $clientos='win'; } - -# --------------------------------------------------------- Write first profile - - { - my $idf=Apache::File->new(">$lonids/$cookie.id"); - print $idf "user.name=$username\n"; - print $idf "user.domain=$domain\n"; - print $idf "user.home=$authhost\n"; - print $idf "browser.type=$clientbrowser\n"; - print $idf "browser.version=$clientversion\n"; - print $idf "browser.mathml=$clientmathml\n"; - print $idf "browser.os=$clientos\n"; - if ($userroles ne '') { print $idf "$userroles" }; - } # -------------------------------------------------------------------- Log this &Apache::lonnet::log($domain,$username,$authhost, "Login $ENV{'REMOTE_ADDR'}"); -# ------------------------------------------------------------ Get cookie ready +# ------------------------------------------------- Check for critical messages - $cookie="lonID=$cookie; path=/"; + my @what=&Apache::lonnet::dump('critical',$domain,$username); + if ($what[0]) { + if (($what[0] ne 'con_lost') && ($what[0]!~/^error\:/)) { + $lowerurl='/adm/email?critical=display'; + } + } +# ------------------------------------------------------------ Get cookie ready + $cookie="lonID=$cookie; path=/"; +# -------------------------------------------------------- Menu script and info + my $windowinfo=&Apache::lonmenu::open($env{'browser.os'}); + my $startupremote=&Apache::lonmenu::startupremote($lowerurl); + my $remoteinfo=&Apache::lonmenu::load_remote_msg($lowerurl); + my $setflags=&Apache::lonmenu::setflags(); + my $maincall=&Apache::lonmenu::maincall(); + my $start_page=&Apache::loncommon::start_page('Successful Login', + $startupremote, + {'no_inline_link' => 1,}); + my $end_page =&Apache::loncommon::end_page(); + + my $continuelink; + if (($env{'browser.interface'} eq 'textual') || + ($env{'environment.remote'} eq 'off')) { + $continuelink="".&mt('Continue').""; + } # ------------------------------------------------- Output for successful login - $r->send_cgi_header(<header_out('Set-cookie' => $cookie); + $r->send_http_header; + + my %lt=&Apache::lonlocal::texthash( + 'wel' => 'Welcome', + 'mes' => 'Welcome to the LearningOnline Network with CAPA. Please wait while your session is being set up.', + 'pro' => 'Login problems?', + 'log' => 'loginproblems.html', + ); $r->print(< - -Successful Login to the LearningOnline Network with CAPA - - - - -

Welcome!

- - +$start_page +$setflags +$windowinfo +

$lt{'wel'}

+$lt{'mes'}

+$lt{'pro'}

+$remoteinfo +$maincall +$continuelink +$end_page ENDSUCCESS } # --------------------------------------------------------------- Failed login! sub failed { - my ($r,$message) = @_; - $r->send_cgi_header(<print(< - -Unsuccessful Login to the LearningOnline Network with CAPA - - - -

Sorry ...

-

$message to use the LearningOnline Network with CAPA

- - -ENDFAILED + my ($r,$message,$form) = @_; + my $start_page = &Apache::loncommon::start_page('Unsuccessful Login',undef, + {'no_inline_link' => 1,}); + my $end_page = &Apache::loncommon::end_page(); + &Apache::loncommon::content_type($r,'text/html'); + $r->send_http_header; + $r->print( + $start_page + .'

'.&mt('Sorry ...').'

' + .'

'.&mt($message).'

' + .'

'.&mt('Please [_1]log in again[_2].' + ,"{'uname'}&domain=$form->{'udom'}\">",'') + .'

' + .'

'.&mt('Login problems?').'

' + .$end_page + ); + } + +# ------------------------------------------------------------------ Rerouting! + +sub reroute { + my ($r) = @_; + &Apache::loncommon::content_type($r,'text/html'); + $r->send_http_header; + my $msg='

'.&mt('Sorry ...').'

' + .&mt('Please [_1]log in again[_2].'); + &Apache::loncommon::simple_error_page($r,'Rerouting',$msg); } # ---------------------------------------------------------------- Main handler sub handler { my $r = shift; + my $form; +# Are we re-routing? + if (-e '/home/httpd/html/lon-status/reroute.txt') { + &reroute($r); + return OK; + } + + &Apache::lonlocal::get_language_handle($r); + +# -------------------------------- Prevent users from attempting to login twice + my $handle = &Apache::lonnet::check_for_valid_session($r); + if ($handle ne '') { +# Indeed, a valid token is found + &Apache::loncommon::content_type($r,'text/html'); + $r->send_http_header; + my $start_page = + &Apache::loncommon::start_page('Already logged in'); + my $end_page = + &Apache::loncommon::end_page(); + $r->print( + $start_page + .'

'.&mt('You are already logged in!').'

' + .'

'.&mt('Please either [_1]continue the current session[_2] or [_3]logout[_4].' + ,'','','','') + .'

' + .'

'.&mt('Login problems?').'

' + .$end_page + ); + return OK; + } + +# ---------------------------------------------------- No valid token, continue + my $buffer; - $r->read($buffer,$r->header_in('Content-length')); - my @pairs=split(/&/,$buffer); - my $pair; my $name; my $value; my %FORM; - foreach $pair (@pairs) { - ($name,$value) = split(/=/,$pair); + if ($r->header_in('Content-length') > 0) { + $r->read($buffer,$r->header_in('Content-length'),0); + } + my %form; + foreach my $pair (split(/&/,$buffer)) { + my ($name,$value) = split(/=/,$pair); $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg; - $FORM{$name}=$value; + $form{$name}=$value; } - if ((!$FORM{'uname'}) || (!$FORM{'upass'}) || (!$FORM{'udom'})) { - failed($r,'Username, password and domain need to be specified'); + if ((!$form{'uname'}) || (!$form{'upass0'}) || (!$form{'udom'})) { + &failed($r,'Username, password and domain need to be specified.', + \%form); return OK; } - $FORM{'uname'} =~ s/\W//g; - $FORM{'udom'} =~ s/\W//g; + +# split user logging in and "su"-user + + ($form{'uname'},$form{'suname'})=split(/\:/,$form{'uname'}); + $form{'uname'} = &LONCAPA::clean_username($form{'uname'}); + $form{'suname'}= &LONCAPA::clean_username($form{'suname'}); + $form{'udom'} = &LONCAPA::clean_domain( $form{'udom'}); my $role = $r->dir_config('lonRole'); my $domain = $r->dir_config('lonDefDomain'); @@ -161,45 +215,133 @@ sub handler { # ---------------------------------------- Get the information from login token - my $tmpinfo=Apache::lonnet::reply('tmpget:'.$FORM{'logtoken'}, - $FORM{'serverid'}); + my $tmpinfo=Apache::lonnet::reply('tmpget:'.$form{'logtoken'}, + $form{'serverid'}); if (($tmpinfo=~/^error/) || ($tmpinfo eq 'con_lost')) { - failed($r,'Login token missing, inaccessible or expired'); + &failed($r,'Information needed to verify your login information is missing, inaccessible or expired.',\%form); return OK; + } else { + my $reply = &Apache::lonnet::reply('tmpdel:'.$form{'logtoken'}, + $form{'serverid'}); + if ( $reply ne 'ok' ) { + &failed($r,'Session could not be opened.',\%form); + &Apache::lonnet::logthis("ERROR got a reply of $reply when trying to contact ". $form{'serverid'}." to get login token"); + return OK; + } } - - my ($key,$firsturl)=split(/:/,$tmpinfo); + my ($key,$firsturl)=split(/&/,$tmpinfo); my $keybin=pack("H16",$key); - my $cipher=new DES $keybin; - - my $upass=$cipher->decrypt( - unpack("a8",pack("H16",substr($FORM{'upass'},0,16)))); + my $cipher; + if ($Crypt::DES::VERSION>=2.03) { + $cipher=new Crypt::DES $keybin; + } + else { + $cipher=new DES $keybin; + } + my $upass=''; + for (my $i=0;$i<=2;$i++) { + my $chunk= + $cipher->decrypt(unpack("a8",pack("H16",substr($form{'upass'.$i},0,16)))); - $upass.=$cipher->decrypt( - unpack("a8",pack("H16",substr($FORM{'upass'},16,16)))); + $chunk.= + $cipher->decrypt(unpack("a8",pack("H16",substr($form{'upass'.$i},16,16)))); - $upass=substr($upass,1,ord(substr($upass,0,1))); + $chunk=substr($chunk,1,ord(substr($chunk,0,1))); + $upass.=$chunk; + } # ---------------------------------------------------------------- Authenticate - my $authhost=Apache::lonnet::authenticate($FORM{'uname'}, - $upass, - $FORM{'udom'}); + my @cancreate; + my %domconfig = &Apache::lonnet::get_dom('configuration',['usercreation'],$form{'udom'}); + if (ref($domconfig{'usercreation'}) eq 'HASH') { + if (ref($domconfig{'usercreation'}{'cancreate'}) eq 'HASH') { + if (ref($domconfig{'usercreation'}{'cancreate'}{'selfcreate'}) eq 'ARRAY') { + @cancreate = @{$domconfig{'usercreation'}{'cancreate'}{'selfcreate'}}; + } elsif (($domconfig{'usercreation'}{'cancreate'}{'selfcreate'} ne 'none') && + ($domconfig{'usercreation'}{'cancreate'}{'selfcreate'} ne '')) { + @cancreate = ($domconfig{'usercreation'}{'cancreate'}{'selfcreate'}); + } + } + } + my $defaultauth; + if (grep(/^login$/,@cancreate)) { + $defaultauth = 1; + } + my $authhost=Apache::lonnet::authenticate($form{'uname'},$upass, + $form{'udom'},$defaultauth); # --------------------------------------------------------------------- Failed? if ($authhost eq 'no_host') { - failed($r,'Username and/or password could not be authenticated'); + &failed($r,'Username and/or password could not be authenticated.', + \%form); return OK; + } elsif ($authhost eq 'no_account_on_host') { + my %domconfig = + &Apache::lonnet::get_dom('configuration',['usercreation'],$form{'udom'}); + if (grep(/^login$/,@cancreate)) { + my $start_page = + &Apache::loncommon::start_page('Create a user account in LON-CAPA', + '',{'no_inline_link' => 1,}); + my $domdesc = &Apache::lonnet::domain($form{'udom'},'description'); + my ($output,$checkfail) = &Apache::createaccount::username_check($form{'uname'}, + $form{'udom'},$domdesc); + &Apache::loncommon::content_type($r,'text/html'); + $r->send_http_header; + &Apache::createaccount::print_header($r,$start_page); + my $msg = '

'.&mt('Although your username and password were authenticated, you do not currently have a LON-CAPA account in this domain.').'
'; + if ($checkfail) { + $msg .= &mt('A LON-CAPA account may not be created with the username you used.'); + } else { + $msg .= &mt('To create one, use the table below to provide information about yourself (if appropriate), then click the "Create LON-CAPA account" button.'); + } + $r->print('

'.$msg.'

'.$output); + $r->print(&Apache::loncommon::end_page()); + return OK; + } else { + &failed($r,'Although your username and password were authenticated, you do not currently have a LON-CAPA account in this domain, and you are not permitted to create one.',\%form); + return OK; + } } - if ($firsturl eq '') { - $firsturl='/res/adm/pages/index.html'; + if (($firsturl eq '') || + ($firsturl=~/^\/adm\/(logout|remote)/)) { + $firsturl='/adm/roles'; + } +# --------------------------------- Are we attempting to login as somebody else? + if ($form{'suname'}) { +# ------------ see if the original user has enough privileges to pull this stunt + if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'})) { +# ---------------------------------------------------- see if the su-user exists + unless (&Apache::lonnet::homeserver($form{'suname'},$form{'udom'}) + eq 'no_host') { + &Apache::lonnet::logthis(&Apache::lonnet::homeserver($form{'suname'},$form{'udom'})); +# ------------------------------ see if the su-user is not too highly privileged + unless (&Apache::lonnet::privileged($form{'suname'},$form{'udom'})) { +# -------------------------------------------------------- actually switch users + &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.$form{'udom'}. + ' logging in as '.$form{'suname'}); + $form{'uname'}=$form{'suname'}; + } else { + &Apache::lonnet::logthis('Attempted switch user to privileged user'); + } + } + } else { + &Apache::lonnet::logthis('Non-privileged user attempting switch user'); + } } - success($r,$FORM{'uname'},$FORM{'udom'},$authhost,$firsturl); + if ($r->dir_config("lonBalancer") eq 'yes') { + &success($r,$form{'uname'},$form{'udom'},$authhost,'noredirect',undef, + \%form); + $r->internal_redirect('/adm/switchserver'); + } else { + &success($r,$form{'uname'},$form{'udom'},$authhost,$firsturl,undef, + \%form); + } return OK; } 500 Internal Server Error

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.