Annotation of loncom/auth/lonwebdavacc.pm, revision 1.4

1.1       raeburn     1: # The LearningOnline Network
                      2: # Authorization Handler for webDAV access to Authoring Space. 
                      3: #
1.4     ! raeburn     4: # $Id: lonwebdavacc.pm,v 1.3 2015/03/16 12:13:34 raeburn Exp $
1.1       raeburn     5: #
                      6: # Copyright Michigan State University Board of Trustees
                      7: #
                      8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
                      9: #
                     10: # LON-CAPA is free software; you can redistribute it and/or modify
                     11: # it under the terms of the GNU General Public License as published by
                     12: # the Free Software Foundation; either version 2 of the License, or
                     13: # (at your option) any later version.
                     14: #
                     15: # LON-CAPA is distributed in the hope that it will be useful,
                     16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
                     17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                     18: # GNU General Public License for more details.
                     19: #
                     20: # You should have received a copy of the GNU General Public License
                     21: # along with LON-CAPA; if not, write to the Free Software
                     22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                     23: #
                     24: # /home/httpd/html/adm/gpl.txt
                     25: #
                     26: # http://www.lon-capa.org/
                     27: #
                     28: 
                     29: =pod
                     30: 
                     31: =head1 NAME
                     32: 
                     33: Apache::lonwebdavacc - webDAV Authorization Handler
                     34: 
                     35: =head1 SYNOPSIS
                     36: 
1.4     ! raeburn    37: Invoked for ^/+webdav/[\w\-.]+/\w[\w.\-\@]+/ by
1.1       raeburn    38: /etc/httpd/conf/loncapa_apache.conf:
                     39: 
                     40: PerlAccessHandler       Apache::lonwebdavacc
                     41: 
                     42: =head1 INTRODUCTION
                     43: 
                     44: This module enables authorization for authoring space
                     45: and is used to control access for the following type of URI:
                     46: 
1.4     ! raeburn    47:  <LocationMatch "^/+webdav/[\w\-.]+/\w[\w.\-\@]+/">
1.1       raeburn    48: 
                     49: This module is only called following successful authentication. 
                     50: Unless lonOtherAuthen has been set, so Single Sign On can be used,
                     51: successful authentication will have created a session file and
                     52: transferred the contents to the user's environment.
                     53: 
                     54: In the case of SSO, there is no existing user environment, but  
                     55: $r->user will have been set to the user's username, following 
                     56: successful authentication.  For SSO, the webDAV session file
                     57: and environment are set up by a call to 
                     58: Apache::lonwebdavauth::init_webdav_env().
                     59: 
                     60: Note: because Apache Basic Auth is used for authentication (unless SSO)
                     61: webDAV access is only available for servers running Apache with SSL.
                     62: 
                     63: This is part of the LearningOnline Network with CAPA project
                     64: described at http://www.lon-capa.org.
                     65: 
                     66: =head1 HANDLER SUBROUTINE
                     67: 
                     68: This routine is called by Apache and mod_perl.
                     69: 
                     70: =over 4
                     71: 
                     72: =item *
                     73: 
                     74: Checks if $env{'user.environment'} is defined.
                     75: 
                     76: =item *
                     77: 
                     78: If no %env, this was SSO authentication so call to &sso_login() to
                     79: create session, and return cookie. 
                     80: 
                     81: =item *
                     82: 
                     83: Checks if requested URL (of form /webdav/authordomain/authorname) is valid
                     84: and whether authenticated user has an active author or co-author
                     85: role in the corresonding Author Space. 
                     86: 
                     87: =back
                     88: 
                     89: =head1 NOTABLE SUBROUTINES
                     90: 
                     91: =over
                     92: 
                     93: =item * sso_login()
                     94: 
                     95: =over 
                     96: 
                     97: =item *
                     98: 
                     99: Called if no user.environment exists in %env.
                    100: 
                    101: =item *
                    102: 
                    103: Checks if $r->user contains a valid user.
                    104: 
                    105: =item *
                    106: 
                    107: Domain is set either from lonSSOUserDomain perlvar (if defined)
                    108: or from lonDefDomain perlvar.
                    109:  
                    110: =item *
                    111: 
                    112: For a valid user a new session file and is created, and the corresponding 
                    113: cookie is returned to the client in an Apache response header.
                    114: 
                    115: =back
                    116: 
                    117: =back
                    118: 
                    119: =cut
                    120: 
                    121: package Apache::lonwebdavacc;
                    122: 
                    123: use strict;
                    124: use GDBM_File;
                    125: use Apache::Constants qw(:common :http :methods);
                    126: use Apache::lonnet;
1.2       raeburn   127: use Apache::londiff();
1.1       raeburn   128: use LONCAPA qw(:DEFAULT :match);
                    129: 
                    130: sub handler {
                    131:     my $r = shift;
                    132:     my $timetolive = 600;
                    133:     my $now = time;
                    134:     my $sessiondir=$r->dir_config('lonDAVsessDir');
                    135: 
1.4     ! raeburn   136:     my ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
        !           137:     my $author = "$aname:$adom";
1.1       raeburn   138:     unless ($env{'user.environment'}) {
                    139:         my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
                    140:         if ($handle eq '') {
1.4     ! raeburn   141:             $handle = &sso_login($r,$sessiondir,$now,$timetolive,$author);
1.1       raeburn   142:             if ($handle eq '') {
                    143:                 return FORBIDDEN;
                    144:             }
                    145:         } else {
                    146:             &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
                    147:         }
                    148:     }
                    149:     my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'});
                    150:     if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
                    151:         return FORBIDDEN;
                    152:     }
                    153: 
                    154:     my $docroot = $r->dir_config('lonDocRoot');
                    155:     if ($adom eq '' || $aname eq '') {
                    156:         return FORBIDDEN;
                    157:     } elsif (!-d "$docroot/priv/$adom/$aname") {
                    158:         return FORBIDDEN;
                    159:     }
1.2       raeburn   160:     my $allowed;  
1.1       raeburn   161:     if (($env{'user.name'} eq $aname) && ($env{'user.domain'} eq $adom)) {
                    162:         if ($env{"user.role.au./$adom/"}) {
1.2       raeburn   163:             $allowed = 1;
1.1       raeburn   164:         }
                    165:     } else {
                    166:         if (($env{"user.role.ca./$adom/$aname"}) ||
                    167:             (env{"user.role.aa./$adom/$aname"})) {
1.2       raeburn   168:             $allowed = 1;
1.1       raeburn   169:         }
                    170:     }
1.2       raeburn   171:     if ($allowed) {
                    172:         my $method = $r->method();
                    173:         if (($r->filename =~ /.+\.(log|bak|meta|save)$/) || ($r->filename =~ /\.\d+\.\w+$/) || 
                    174:             ($r->filename =~ m{/\.+[^_/]+$})) {
                    175:             if (($method eq 'MKCOL') || ($method eq 'PUT')) {
                    176:                 return FORBIDDEN;
                    177:             } elsif ($method eq 'MOVE') {
                    178:                 if (($r->filename =~ /\.\d+\.\w+$/) || ($r->filename =~ m{/\.+[^_/]+$})) {
                    179:                     return FORBIDDEN;
                    180:                 }
                    181:             }
                    182:         }
                    183:         if (($method eq 'DELETE') || ($method eq 'MOVE')) {
                    184:             unless (($r->filename =~ m{/\._[^/]+$}) || ($r->filename =~ m{/\.DS_Store$})) {
                    185:                 my $dirptr=16384;
                    186:                 my ($cmode,$cmtime)=(stat($r->filename))[2,9];
                    187:                 if (($cmode&$dirptr)) {
                    188:                     my $numpub = 0;
                    189:                     $numpub = &recurse_dir($r->filename,$r->dir_config('lonDocRoot'),$numpub);
                    190:                     if ($numpub) {
                    191:                         return FORBIDDEN;
                    192:                     }
                    193:                 } else {
                    194:                     if ($r->filename =~ /^(.+)\.(log|bak|save|meta)$/) {
                    195:                         my $conjugate = $1;
                    196:                         my $type = $2; 
                    197:                         if (($type eq 'log') || ($type eq 'meta')) {
                    198:                             if (-e $conjugate) {
                    199:                                 my $conjstatus = &pubstatus($conjugate,$r->dir_config('lonDocRoot'));
                    200:                                 unless (($conjstatus eq 'unpublished') || ($conjstatus eq 'obsolete')) {
                    201:                                     return FORBIDDEN;
                    202:                                 }
                    203:                             }
                    204:                         }
                    205:                     } else {
                    206:                         my $status = &pubstatus($r->filename,$r->dir_config('lonDocRoot'));
                    207:                         unless (($status eq 'unpublished') || ($status eq 'obsolete')) {
                    208:                             return FORBIDDEN;
                    209:                         }
                    210:                     }
                    211:                 }
                    212:             }
                    213:         }
                    214:         return OK;
                    215:     }
1.1       raeburn   216:     return FORBIDDEN;
                    217: }
                    218: 
                    219: sub sso_login {
1.4     ! raeburn   220:     my ($r,$sessiondir,$now,$timetolive,$author) = @_;
1.1       raeburn   221:     my ($uname,$udom);
                    222:     my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);
                    223:     unless ($uname =~ /^$match_username$/) {
                    224:         return;
                    225:     }
                    226:     $udom = $r->dir_config('lonSSOUserDomain');
                    227:     if ($udom eq '') {
                    228:         $udom = $r->dir_config('lonDefDomain');
                    229:     }
                    230:     unless (($udom =~ /^$match_domain$/)) {
                    231:         return;
                    232:     }
                    233:     my $uhome = &Apache::lonnet::homeserver($uname,$udom);
                    234:     if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
                    235:         return;
                    236:     }
                    237:     my $handle = 
1.4     ! raeburn   238:         &Apache::lonwebdavauth::init_webdav_env($r,$sessiondir,$uname,$udom,
        !           239:                                                 $uhome,$now,$timetolive,$author);
1.1       raeburn   240:     if ($handle ne '') {
1.4     ! raeburn   241:         if (&Apache::lonnet::usertools_access($uname,$udom,'webdav')) {
        !           242:             my ($webdav) =
        !           243:                 ($r->uri =~ m{^(/webdav/$match_domain/$match_username/)});
        !           244:             &Apache::lonnet::log($udom,$uname,$uhome,
        !           245:                                  "SSO log-in to $webdav from $ENV{'REMOTE_ADDR'}");
        !           246:             my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
        !           247:             $r->header_out('Set-cookie' => $cookie);
        !           248:             $r->send_http_header;
        !           249:         }
1.1       raeburn   250:     }
                    251:     return ($handle);
                    252: }
                    253: 
1.2       raeburn   254: sub pubstatus {
                    255:     my ($fn,$docroot,$cmtime) = @_;
                    256:     my $privfn = $fn;
                    257:     my $thisdisfn = $fn;
                    258:     $thisdisfn=~s/^\Q$docroot\E\/priv//;
                    259:     my $resfn=$docroot.'/res'.$thisdisfn;
                    260:     my $targetfn = '/res'.$thisdisfn;
                    261:     my $status = 'unpublished';
                    262:     if (-e $resfn) {
                    263:         $status = 'published';
                    264:         my $same = 0;
                    265:         if ((stat($resfn))[9] >= $cmtime) {
                    266:             $same = 1;
                    267:         } else {
                    268:             if (&Apache::londiff::are_different_files($resfn,$privfn)) {
                    269:                 $same = 0;
                    270:             } else {
                    271:                 $same = 1;
                    272:             }
                    273:         }
                    274:         if ($same) {
                    275:             if (&Apache::lonnet::metadata($targetfn,'obsolete')) {
                    276:                 $status = 'obsolete';
                    277:             }
                    278:         }
                    279:     }
                    280:     return $status;
                    281: }
                    282: 
                    283: sub recurse_dir {
                    284:     my ($dirname,$docroot,$numpub) = @_;
                    285:     $dirname =~ s{/$}{};
                    286:     my $dirptr=16384;
                    287:     if (opendir(my $dirh,$dirname)) {
                    288:         my @items = readdir($dirh);
                    289:         closedir($dirh);
                    290:         foreach my $item (@items) {
                    291:             next if ($item =~ /.+\.(log|bak|save|meta)$/);
                    292:             next if ($item =~ /^\.+/);
                    293:             my ($cmode,$cmtime)=(stat("$dirname/$item"))[2,9];
                    294:             if (!($cmode&$dirptr)) {
                    295:                 if (&pubstatus("$dirname/$item",$docroot,$cmtime) eq 'published') {
                    296:                     $numpub ++;
                    297:                 }
                    298:             } else {
1.3       raeburn   299:                 $numpub = &recurse_dir("$dirname/$item",$docroot,$numpub);
1.2       raeburn   300:             }
                    301:         }
                    302:     }
                    303:     return $numpub;
                    304: }
                    305: 
1.1       raeburn   306: 1;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>