Diff for /loncom/lond between versions 1.489.2.9 and 1.489.2.28.2.2

version 1.489.2.9, 2013/10/17 00:36:01 version 1.489.2.28.2.2, 2018/04/29 00:45:43
Line 55  use LONCAPA::lonssl; Line 55  use LONCAPA::lonssl;
 use Fcntl qw(:flock);  use Fcntl qw(:flock);
 use Apache::lonnet;  use Apache::lonnet;
 use Mail::Send;  use Mail::Send;
   use Crypt::Eksblowfish::Bcrypt;
   use Digest::SHA;
   use Encode;
   
 my $DEBUG = 0;       # Non zero to enable debug log entries.  my $DEBUG = 0;       # Non zero to enable debug log entries.
   
Line 621  sub ConfigFileFromSelector { Line 624  sub ConfigFileFromSelector {
 #     String to send to client ("ok" or "refused" if bad file).  #     String to send to client ("ok" or "refused" if bad file).
 #  #
 sub PushFile {  sub PushFile {
     my $request = shift;          my $request = shift;
     my ($command, $filename, $contents) = split(":", $request, 3);      my ($command, $filename, $contents) = split(":", $request, 3);
     &Debug("PushFile");      &Debug("PushFile");
           
Line 651  sub PushFile { Line 654  sub PushFile {
   
     if($filename eq "host") {      if($filename eq "host") {
  $contents = AdjustHostContents($contents);   $contents = AdjustHostContents($contents);
       } elsif ($filename eq 'dns_host' || $filename eq 'dns_domain') {
           if ($contents eq '') {
               &logthis('<font color="red"> Pushfile: unable to install '
                       .$tablefile." - no data received from push. </font>");
               return 'error: push had no data';
           }
           if (&Apache::lonnet::get_host_ip($clientname)) {
               my $clienthost = &Apache::lonnet::hostname($clientname);
               if ($managers{$clientip} eq $clientname) {
                   my $clientprotocol = $Apache::lonnet::protocol{$clientname};
                   $clientprotocol = 'http' if ($clientprotocol ne 'https');
                   my $url = '/adm/'.$filename;
                   $url =~ s{_}{/};
                   my $ua=new LWP::UserAgent;
                   $ua->timeout(60);
                   my $request=new HTTP::Request('GET',"$clientprotocol://$clienthost$url");
                   my $response=$ua->request($request);
                   if ($response->is_error()) {
                       &logthis('<font color="red"> Pushfile: unable to install '
                               .$tablefile." - error attempting to pull data. </font>");
                       return 'error: pull failed';
                   } else {
                       my $result = $response->content;
                       chomp($result);
                       unless ($result eq $contents) {
                           &logthis('<font color="red"> Pushfile: unable to install '
                                   .$tablefile." - pushed data and pulled data differ. </font>");
                           my $pushleng = length($contents);
                           my $pullleng = length($result);
                           if ($pushleng != $pullleng) {
                               return "error: $pushleng vs $pullleng bytes";
                           } else {
                               return "error: mismatch push and pull";
                           }
                       }
                   }
               }
           }
     }      }
   
     #  Install the new file:      #  Install the new file:
Line 1384  sub du2_handler { Line 1425  sub du2_handler {
 #    selected directory the filename followed by the full output of  #    selected directory the filename followed by the full output of
 #    the stat function is returned.  The returned info for each  #    the stat function is returned.  The returned info for each
 #    file are separated by ':'.  The stat fields are separated by &'s.  #    file are separated by ':'.  The stat fields are separated by &'s.
   #
   #    If the requested path contains /../ or is:
   #
   #    1. for a directory, and the path does not begin with one of:
   #        (a) /home/httpd/html/res/<domain>
   #        (b) /home/httpd/html/userfiles/
   #        (c) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/userfiles
   #    or is:
   #
   #    2. for a file, and the path (after prepending) does not begin with one of:
   #        (a) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/
   #        (b) /home/httpd/html/res/<domain>/<username>/
   #        (c) /home/httpd/html/userfiles/<domain>/<username>/
   #
   #    the response will be "refused".
   #
 # Parameters:  # Parameters:
 #    $cmd        - The command that dispatched us (ls).  #    $cmd        - The command that dispatched us (ls).
 #    $ulsdir     - The directory path to list... I'm not sure what this  #    $ulsdir     - The directory path to list... I'm not sure what this
Line 1405  sub ls_handler { Line 1462  sub ls_handler {
     my $rights;      my $rights;
     my $ulsout='';      my $ulsout='';
     my $ulsfn;      my $ulsfn;
       if ($ulsdir =~m{/\.\./}) {
           &Failure($client,"refused\n",$userinput);
           return 1;
       }
     if (-e $ulsdir) {      if (-e $ulsdir) {
  if(-d $ulsdir) {   if(-d $ulsdir) {
               unless (($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) ||
                       ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles})) {
                   &Failure($client,"refused\n",$userinput);
                   return 1;
               }
     if (opendir(LSDIR,$ulsdir)) {      if (opendir(LSDIR,$ulsdir)) {
  while ($ulsfn=readdir(LSDIR)) {   while ($ulsfn=readdir(LSDIR)) {
     undef($obs);      undef($obs);
Line 1430  sub ls_handler { Line 1496  sub ls_handler {
  closedir(LSDIR);   closedir(LSDIR);
     }      }
  } else {   } else {
               unless (($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) ||
                       ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/})) {
                   &Failure($client,"refused\n",$userinput);
                   return 1;
               }
     my @ulsstats=stat($ulsdir);      my @ulsstats=stat($ulsdir);
     $ulsout.=$ulsfn.'&'.join('&',@ulsstats).':';      $ulsout.=$ulsfn.'&'.join('&',@ulsstats).':';
  }   }
Line 1454  sub ls_handler { Line 1525  sub ls_handler {
 #    selected directory the filename followed by the full output of  #    selected directory the filename followed by the full output of
 #    the stat function is returned.  The returned info for each  #    the stat function is returned.  The returned info for each
 #    file are separated by ':'.  The stat fields are separated by &'s.  #    file are separated by ':'.  The stat fields are separated by &'s.
   #
   #    If the requested path contains /../ or is:
   #
   #    1. for a directory, and the path does not begin with one of:
   #        (a) /home/httpd/html/res/<domain>
   #        (b) /home/httpd/html/userfiles/
   #        (c) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/userfiles
   #    or is:
   #
   #    2. for a file, and the path (after prepending) does not begin with one of:
   #        (a) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/
   #        (b) /home/httpd/html/res/<domain>/<username>/
   #        (c) /home/httpd/html/userfiles/<domain>/<username>/
   #
   #    the response will be "refused".
   #
 # Parameters:  # Parameters:
 #    $cmd        - The command that dispatched us (ls).  #    $cmd        - The command that dispatched us (ls).
 #    $ulsdir     - The directory path to list... I'm not sure what this  #    $ulsdir     - The directory path to list... I'm not sure what this
Line 1474  sub ls2_handler { Line 1561  sub ls2_handler {
     my $rights;      my $rights;
     my $ulsout='';      my $ulsout='';
     my $ulsfn;      my $ulsfn;
       if ($ulsdir =~m{/\.\./}) {
           &Failure($client,"refused\n",$userinput);
           return 1;
       }
     if (-e $ulsdir) {      if (-e $ulsdir) {
         if(-d $ulsdir) {          if(-d $ulsdir) {
               unless (($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) ||
                       ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles})) {
                   &Failure($client,"refused\n","$userinput");
                   return 1;
               }
             if (opendir(LSDIR,$ulsdir)) {              if (opendir(LSDIR,$ulsdir)) {
                 while ($ulsfn=readdir(LSDIR)) {                  while ($ulsfn=readdir(LSDIR)) {
                     undef($obs);                      undef($obs);
Line 1500  sub ls2_handler { Line 1596  sub ls2_handler {
                 closedir(LSDIR);                  closedir(LSDIR);
             }              }
         } else {          } else {
               unless (($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) ||
                       ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/})) {
                   &Failure($client,"refused\n",$userinput);
                   return 1;
               }
             my @ulsstats=stat($ulsdir);              my @ulsstats=stat($ulsdir);
             $ulsout.=$ulsfn.'&'.join('&',@ulsstats).':';              $ulsout.=$ulsfn.'&'.join('&',@ulsstats).':';
         }          }
Line 1516  sub ls2_handler { Line 1617  sub ls2_handler {
 #    selected directory the filename followed by the full output of  #    selected directory the filename followed by the full output of
 #    the stat function is returned.  The returned info for each  #    the stat function is returned.  The returned info for each
 #    file are separated by ':'.  The stat fields are separated by &'s.  #    file are separated by ':'.  The stat fields are separated by &'s.
   #
   #    If the requested path (after prepending) contains /../ or is:
   #
   #    1. for a directory, and the path does not begin with one of:
   #        (a) /home/httpd/html/res/<domain>
   #        (b) /home/httpd/html/userfiles/
   #        (c) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/userfiles
   #        (d) /home/httpd/html/priv/<domain> and client is the homeserver
   #
   #    or is:
   #
   #    2. for a file, and the path (after prepending) does not begin with one of:
   #        (a) /home/httpd/lonUsers/<domain>/<1>/<2>/<3>/<username>/
   #        (b) /home/httpd/html/res/<domain>/<username>/
   #        (c) /home/httpd/html/userfiles/<domain>/<username>/
   #        (d) /home/httpd/html/priv/<domain>/<username>/ and client is the homeserver
   #
   #    the response will be "refused".
   #
 # Parameters:  # Parameters:
 #    $cmd        - The command that dispatched us (ls).  #    $cmd        - The command that dispatched us (ls).
 #    $tail       - The tail of the request that invoked us.  #    $tail       - The tail of the request that invoked us.
Line 1555  sub ls3_handler { Line 1675  sub ls3_handler {
     }      }
   
     my $dir_root = $perlvar{'lonDocRoot'};      my $dir_root = $perlvar{'lonDocRoot'};
     if ($getpropath) {      if (($getpropath) || ($getuserdir)) {
         if (($uname =~ /^$LONCAPA::match_name$/) && ($udom =~ /^$LONCAPA::match_domain$/)) {          if (($uname =~ /^$LONCAPA::match_name$/) && ($udom =~ /^$LONCAPA::match_domain$/)) {
             $dir_root = &propath($udom,$uname);              $dir_root = &propath($udom,$uname);
             $dir_root =~ s/\/$//;              $dir_root =~ s/\/$//;
         } else {          } else {
             &Failure($client,"refused\n","$cmd:$tail");              &Failure($client,"refused\n",$userinput);
             return 1;  
         }  
     } elsif ($getuserdir) {  
         if (($uname =~ /^$LONCAPA::match_name$/) && ($udom =~ /^$LONCAPA::match_domain$/)) {  
             my $subdir=$uname.'__';  
             $subdir =~ s/(.)(.)(.).*/$1\/$2\/$3/;  
             $dir_root = $Apache::lonnet::perlvar{'lonUsersDir'}  
                        ."/$udom/$subdir/$uname";  
         } else {  
             &Failure($client,"refused\n","$cmd:$tail");  
             return 1;              return 1;
         }          }
     } elsif ($alternate_root ne '') {      } elsif ($alternate_root ne '') {
Line 1583  sub ls3_handler { Line 1693  sub ls3_handler {
             $ulsdir = $dir_root.'/'.$ulsdir;              $ulsdir = $dir_root.'/'.$ulsdir;
         }          }
     }      }
       if ($ulsdir =~m{/\.\./}) {
           &Failure($client,"refused\n",$userinput);
           return 1;
       }
       my $islocal;
       my @machine_ids = &Apache::lonnet::current_machine_ids();
       if (grep(/^\Q$clientname\E$/,@machine_ids)) {
           $islocal = 1;
       }
     my $obs;      my $obs;
     my $rights;      my $rights;
     my $ulsout='';      my $ulsout='';
     my $ulsfn;      my $ulsfn;
     if (-e $ulsdir) {      if (-e $ulsdir) {
         if(-d $ulsdir) {          if(-d $ulsdir) {
               unless (($getpropath) || ($getuserdir) ||
                       ($ulsdir =~ m{^/home/httpd/html/(res/$LONCAPA::match_domain|userfiles/)}) ||
                       ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/userfiles}) ||
                       (($ulsdir =~ m{^/home/httpd/html/priv/$LONCAPA::match_domain}) && ($islocal))) {
                   &Failure($client,"refused\n",$userinput);
                   return 1;
               }
             if (opendir(LSDIR,$ulsdir)) {              if (opendir(LSDIR,$ulsdir)) {
                 while ($ulsfn=readdir(LSDIR)) {                  while ($ulsfn=readdir(LSDIR)) {
                     undef($obs);                      undef($obs);
Line 1613  sub ls3_handler { Line 1739  sub ls3_handler {
                 closedir(LSDIR);                  closedir(LSDIR);
             }              }
         } else {          } else {
               unless (($getpropath) || ($getuserdir) ||
                       ($ulsdir =~ m{^/home/httpd/lonUsers/$LONCAPA::match_domain(?:/[\w\-.@]){3}/$LONCAPA::match_name/}) ||
                       ($ulsdir =~ m{^/home/httpd/html/(?:res|userfiles)/$LONCAPA::match_domain/$LONCAPA::match_name/}) ||
                       (($ulsdir =~ m{^/home/httpd/html/priv/$LONCAPA::match_domain/$LONCAPA::match_name/}) && ($islocal))) {
                   &Failure($client,"refused\n",$userinput);
                   return 1;
               }
             my @ulsstats=stat($ulsdir);              my @ulsstats=stat($ulsdir);
             $ulsout.=$ulsfn.'&'.join('&',@ulsstats).':';              $ulsout.=$ulsfn.'&'.join('&',@ulsstats).':';
         }          }
Line 1979  sub change_password_handler { Line 2112  sub change_password_handler {
  my ($howpwd,$contentpwd)=split(/:/,$realpasswd);   my ($howpwd,$contentpwd)=split(/:/,$realpasswd);
  if ($howpwd eq 'internal') {   if ($howpwd eq 'internal') {
     &Debug("internal auth");      &Debug("internal auth");
     my $salt=time;              my $ncpass = &hash_passwd($udom,$npass);
     $salt=substr($salt,6,2);  
     my $ncpass=crypt($npass,$salt);  
     if(&rewrite_password_file($udom, $uname, "internal:$ncpass")) {      if(&rewrite_password_file($udom, $uname, "internal:$ncpass")) {
  my $msg="Result of password change for $uname: pwchange_success";   my $msg="Result of password change for $uname: pwchange_success";
                 if ($lonhost) {                  if ($lonhost) {
                     $msg .= " - request originated from: $lonhost";                      $msg .= " - request originated from: $lonhost";
                 }                  }
                 &logthis($msg);                  &logthis($msg);
                   &update_passwd_history($uname,$udom,$howpwd,$context);
  &Reply($client, "ok\n", $userinput);   &Reply($client, "ok\n", $userinput);
     } else {      } else {
  &logthis("Unable to open $uname passwd "                  &logthis("Unable to open $uname passwd "               
Line 1996  sub change_password_handler { Line 2128  sub change_password_handler {
     }      }
  } elsif ($howpwd eq 'unix' && $context ne 'reset_by_email') {   } elsif ($howpwd eq 'unix' && $context ne 'reset_by_email') {
     my $result = &change_unix_password($uname, $npass);      my $result = &change_unix_password($uname, $npass);
               if ($result eq 'ok') {
                   &update_passwd_history($uname,$udom,$howpwd,$context);
               }
     &logthis("Result of password change for $uname: ".      &logthis("Result of password change for $uname: ".
      $result);       $result);
     &Reply($client, \$result, $userinput);      &Reply($client, \$result, $userinput);
Line 2018  sub change_password_handler { Line 2153  sub change_password_handler {
 }  }
 &register_handler("passwd", \&change_password_handler, 1, 1, 0);  &register_handler("passwd", \&change_password_handler, 1, 1, 0);
   
   sub hash_passwd {
       my ($domain,$plainpass,@rest) = @_;
       my ($salt,$cost);
       if (@rest) {
           $cost = $rest[0];
           # salt is first 22 characters, base-64 encoded by bcrypt
           my $plainsalt = substr($rest[1],0,22);
           $salt = Crypt::Eksblowfish::Bcrypt::de_base64($plainsalt);
       } else {
           my %domdefaults = &Apache::lonnet::get_domain_defaults($domain);
           my $defaultcost = $domdefaults{'intauth_cost'};
           if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
               $cost = 10;
           } else {
               $cost = $defaultcost;
           }
           # Generate random 16-octet base64 salt
           $salt = "";
           $salt .= pack("C", int rand(256)) for 1..16;
       }
       my $hash = &Crypt::Eksblowfish::Bcrypt::bcrypt_hash({
           key_nul => 1,
           cost    => $cost,
           salt    => $salt,
       }, Digest::SHA::sha512(Encode::encode('UTF-8',$plainpass)));
   
       my $result = join("!", "", "bcrypt", sprintf("%02d",$cost),
                   &Crypt::Eksblowfish::Bcrypt::en_base64($salt).
                   &Crypt::Eksblowfish::Bcrypt::en_base64($hash));
       return $result;
   }
   
 #  #
 #   Create a new user.  User in this case means a lon-capa user.  #   Create a new user.  User in this case means a lon-capa user.
 #   The user must either already exist in some authentication realm  #   The user must either already exist in some authentication realm
Line 2061  sub add_user_handler { Line 2228  sub add_user_handler {
     ."makeuser";      ."makeuser";
     }      }
     unless ($fperror) {      unless ($fperror) {
  my $result=&make_passwd_file($uname,$udom,$umode,$npass, $passfilename);   my $result=&make_passwd_file($uname,$udom,$umode,$npass,
                                                $passfilename,'makeuser');
  &Reply($client,\$result, $userinput);     #BUGBUG - could be fail   &Reply($client,\$result, $userinput);     #BUGBUG - could be fail
     } else {      } else {
  &Failure($client, \$fperror, $userinput);   &Failure($client, \$fperror, $userinput);
Line 2130  sub change_authentication_handler { Line 2298  sub change_authentication_handler {
  my $result = &change_unix_password($uname, $npass);   my $result = &change_unix_password($uname, $npass);
  &logthis("Result of password change for $uname: ".$result);   &logthis("Result of password change for $uname: ".$result);
  if ($result eq "ok") {   if ($result eq "ok") {
                       &update_passwd_history($uname,$udom,$umode,'changeuserauth');
     &Reply($client, \$result);      &Reply($client, \$result);
  } else {   } else {
     &Failure($client, \$result);      &Failure($client, \$result);
  }   }
     } else {      } else {
  my $result=&make_passwd_file($uname,$udom,$umode,$npass,$passfilename);   my $result=&make_passwd_file($uname,$udom,$umode,$npass,
                                                $passfilename,'changeuserauth');
  #   #
  #  If the current auth mode is internal, and the old auth mode was   #  If the current auth mode is internal, and the old auth mode was
  #  unix, or krb*,  and the user is an author for this domain,   #  unix, or krb*,  and the user is an author for this domain,
Line 2156  sub change_authentication_handler { Line 2326  sub change_authentication_handler {
 }  }
 &register_handler("changeuserauth", \&change_authentication_handler, 1,1, 0);  &register_handler("changeuserauth", \&change_authentication_handler, 1,1, 0);
   
   sub update_passwd_history {
       my ($uname,$udom,$umode,$context) = @_;
       my $proname=&propath($udom,$uname);
       my $now = time;
       if (open(my $fh,">>$proname/passwd.log")) {
           print $fh "$now:$umode:$context\n";
           close($fh);
       }
       return;
   }
   
 #  #
 #   Determines if this is the home server for a user.  The home server  #   Determines if this is the home server for a user.  The home server
 #   for a user will have his/her lon-capa passwd file.  Therefore all we need  #   for a user will have his/her lon-capa passwd file.  Therefore all we need
Line 2407  sub remove_user_file_handler { Line 2588  sub remove_user_file_handler {
     if (-e $file) {      if (-e $file) {
  #   #
  #   If the file is a regular file unlink is fine...   #   If the file is a regular file unlink is fine...
  #   However it's possible the client wants a dir.   #   However it's possible the client wants a dir
  #   removed, in which case rmdir is more approprate:   #   removed, in which case rmdir is more appropriate
           #   Note: rmdir will only remove an empty directory.
  #   #
         if (-f $file){          if (-f $file){
     unlink($file);      unlink($file);
                       # for html files remove the associated .bak file
                       # which may have been created by the editor.
                       if ($ufile =~ m{^((docs|supplemental)/(?:\d+|default)/\d+(?:|/.+)/)[^/]+\.x?html?$}i) {
                           my $path = $1;
                           if (-e $file.'.bak') {
                               unlink($file.'.bak');
                           }
                       }
  } elsif(-d $file) {   } elsif(-d $file) {
     rmdir($file);      rmdir($file);
  }   }
Line 2774  sub newput_user_profile_entry { Line 2964  sub newput_user_profile_entry {
     foreach my $pair (@pairs) {      foreach my $pair (@pairs) {
  my ($key,$value)=split(/=/,$pair);   my ($key,$value)=split(/=/,$pair);
  if (exists($hashref->{$key})) {   if (exists($hashref->{$key})) {
               if (!&untie_user_hash($hashref)) {
                   &logthis("error: ".($!+0)." untie (GDBM) failed ".
                            "while attempting newput - early out as key exists");
               }
     &Failure($client, "key_exists: ".$key."\n",$userinput);      &Failure($client, "key_exists: ".$key."\n",$userinput);
     return 1;      return 1;
  }   }
Line 3025  sub get_profile_entry { Line 3219  sub get_profile_entry {
 #  #
 #  Parameters:  #  Parameters:
 #     $cmd               - Command keyword of request (eget).  #     $cmd               - Command keyword of request (eget).
 #     $tail              - Tail of the command.  See GetProfileEntry #                          for more information about this.  #     $tail              - Tail of the command.  See GetProfileEntry
   #                          for more information about this.
 #     $client            - File open on the client.  #     $client            - File open on the client.
 #  Returns:  #  Returns:
 #     1      - Continue processing  #     1      - Continue processing
Line 3277  sub dump_with_regexp { Line 3472  sub dump_with_regexp {
 #                          namespace   - Name of the database being modified  #                          namespace   - Name of the database being modified
 #                          rid         - Resource keyword to modify.  #                          rid         - Resource keyword to modify.
 #                          what        - new value associated with rid.  #                          what        - new value associated with rid.
   #                          laststore   - (optional) version=timestamp
   #                                        for most recent transaction for rid
   #                                        in namespace, when cstore was called
 #  #
 #    $client             - Socket open on the client.  #    $client             - Socket open on the client.
 #  #
Line 3285  sub dump_with_regexp { Line 3483  sub dump_with_regexp {
 #      1 (keep on processing).  #      1 (keep on processing).
 #  Side-Effects:  #  Side-Effects:
 #    Writes to the client  #    Writes to the client
   #    Successful storage will cause either 'ok', or, if $laststore was included
   #    in the tail of the request, and the version number for the last transaction
   #    is larger than the version in $laststore, delay:$numtrans , where $numtrans
   #    is the number of store evevnts recorded for rid in namespace since
   #    lonnet::store() was called by the client.
   #
 sub store_handler {  sub store_handler {
     my ($cmd, $tail, $client) = @_;      my ($cmd, $tail, $client) = @_;
     
     my $userinput = "$cmd:$tail";      my $userinput = "$cmd:$tail";
   
     my ($udom,$uname,$namespace,$rid,$what) =split(/:/,$tail);      chomp($tail);
       my ($udom,$uname,$namespace,$rid,$what,$laststore) =split(/:/,$tail);
     if ($namespace ne 'roles') {      if ($namespace ne 'roles') {
   
  chomp($what);  
  my @pairs=split(/\&/,$what);   my @pairs=split(/\&/,$what);
  my $hashref  = &tie_user_hash($udom, $uname, $namespace,   my $hashref  = &tie_user_hash($udom, $uname, $namespace,
        &GDBM_WRCREAT(), "S",         &GDBM_WRCREAT(), "S",
        "$rid:$what");         "$rid:$what");
  if ($hashref) {   if ($hashref) {
     my $now = time;      my $now = time;
     my @previouskeys=split(/&/,$hashref->{"keys:$rid"});              my $numtrans;
     my $key;              if ($laststore) {
                   my ($previousversion,$previoustime) = split(/\=/,$laststore);
                   my ($lastversion,$lasttime) = (0,0);
                   $lastversion = $hashref->{"version:$rid"};
                   if ($lastversion) {
                       $lasttime = $hashref->{"$lastversion:$rid:timestamp"};
                   }
                   if (($previousversion) && ($previousversion !~ /\D/)) {
                       if (($lastversion > $previousversion) && ($lasttime >= $previoustime)) {
                           $numtrans = $lastversion - $previousversion;
                       }
                   } elsif ($lastversion) {
                       $numtrans = $lastversion;
                   }
                   if ($numtrans) {
                       $numtrans =~ s/D//g;
                   }
               }
   
     $hashref->{"version:$rid"}++;      $hashref->{"version:$rid"}++;
     my $version=$hashref->{"version:$rid"};      my $version=$hashref->{"version:$rid"};
     my $allkeys='';       my $allkeys=''; 
Line 3314  sub store_handler { Line 3536  sub store_handler {
     $allkeys.='timestamp';      $allkeys.='timestamp';
     $hashref->{"$version:keys:$rid"}=$allkeys;      $hashref->{"$version:keys:$rid"}=$allkeys;
     if (&untie_user_hash($hashref)) {      if (&untie_user_hash($hashref)) {
  &Reply($client, "ok\n", $userinput);                  my $msg = 'ok';
                   if ($numtrans) {
                       $msg = 'delay:'.$numtrans;
                   }
                   &Reply($client, "$msg\n", $userinput);
     } else {      } else {
  &Failure($client, "error: ".($!+0)." untie(GDBM) Failed ".   &Failure($client, "error: ".($!+0)." untie(GDBM) Failed ".
  "while attempting store\n", $userinput);   "while attempting store\n", $userinput);
Line 3576  sub send_query_handler { Line 3802  sub send_query_handler {
   
     my ($query,$arg1,$arg2,$arg3)=split(/\:/,$tail);      my ($query,$arg1,$arg2,$arg3)=split(/\:/,$tail);
     $query=~s/\n*$//g;      $query=~s/\n*$//g;
       if (($query eq 'usersearch') || ($query eq 'instdirsearch')) {
           my $usersearchconf = &get_usersearch_config($currentdomainid,'directorysrch');
           my $earlyout;
           if (ref($usersearchconf) eq 'HASH') {
               if ($currentdomainid eq $clienthomedom) {
                   if ($query eq 'usersearch') {
                       if ($usersearchconf->{'lcavailable'} eq '0') {
                           $earlyout = 1;
                       }
                   } else {
                       if ($usersearchconf->{'available'} eq '0') {
                           $earlyout = 1;
                       }
                   }
               } else {
                   if ($query eq 'usersearch') {
                       if ($usersearchconf->{'lclocalonly'}) {
                           $earlyout = 1;
                       }
                   } else {
                       if ($usersearchconf->{'localonly'}) {
                           $earlyout = 1;
                       }
                   }
               }
           }
           if ($earlyout) {
               &Reply($client, "query_not_authorized\n");
               return 1;
           }
       }
     &Reply($client, "". &sql_reply("$clientname\&$query".      &Reply($client, "". &sql_reply("$clientname\&$query".
  "\&$arg1"."\&$arg2"."\&$arg3")."\n",   "\&$arg1"."\&$arg2"."\&$arg3")."\n",
   $userinput);    $userinput);
Line 3830  sub put_course_id_hash_handler { Line 4087  sub put_course_id_hash_handler {
 #                 creationcontext - include courses created in specified context   #                 creationcontext - include courses created in specified context 
 #  #
 #                 domcloner - flag to indicate if user can create CCs in course's domain.  #                 domcloner - flag to indicate if user can create CCs in course's domain.
 #                             If so, ability to clone course is automatic.   #                             If so, ability to clone course is automatic.
   #                 hasuniquecode - filter by courses for which a six character unique code has
   #                                 been set.
 #  #
 #     $client  - The socket open on the client.  #     $client  - The socket open on the client.
 # Returns:  # Returns:
Line 3844  sub dump_course_id_handler { Line 4103  sub dump_course_id_handler {
     my ($udom,$since,$description,$instcodefilter,$ownerfilter,$coursefilter,      my ($udom,$since,$description,$instcodefilter,$ownerfilter,$coursefilter,
         $typefilter,$regexp_ok,$rtn_as_hash,$selfenrollonly,$catfilter,$showhidden,          $typefilter,$regexp_ok,$rtn_as_hash,$selfenrollonly,$catfilter,$showhidden,
         $caller,$cloner,$cc_clone_list,$cloneonly,$createdbefore,$createdafter,          $caller,$cloner,$cc_clone_list,$cloneonly,$createdbefore,$createdafter,
         $creationcontext,$domcloner) =split(/:/,$tail);          $creationcontext,$domcloner,$hasuniquecode) =split(/:/,$tail);
     my $now = time;      my $now = time;
     my ($cloneruname,$clonerudom,%cc_clone);      my ($cloneruname,$clonerudom,%cc_clone);
     if (defined($description)) {      if (defined($description)) {
Line 3917  sub dump_course_id_handler { Line 4176  sub dump_course_id_handler {
     } else {      } else {
         $creationcontext = '.';          $creationcontext = '.';
     }      }
       unless ($hasuniquecode) {
           $hasuniquecode = '.';
       }
     my $unpack = 1;      my $unpack = 1;
     if ($description eq '.' && $instcodefilter eq '.' && $ownerfilter eq '.' &&       if ($description eq '.' && $instcodefilter eq '.' && $ownerfilter eq '.' && 
         $typefilter eq '.') {          $typefilter eq '.') {
Line 4005  sub dump_course_id_handler { Line 4267  sub dump_course_id_handler {
                 $selfenroll_end = $items->{'selfenroll_end_date'};                  $selfenroll_end = $items->{'selfenroll_end_date'};
                 $created = $items->{'created'};                  $created = $items->{'created'};
                 $context = $items->{'context'};                  $context = $items->{'context'};
                   if ($hasuniquecode ne '.') {
                       next unless ($items->{'uniquecode'});
                   }
                 if ($selfenrollonly) {                  if ($selfenrollonly) {
                     next if (!$selfenroll_types);                      next if (!$selfenroll_types);
                     if (($selfenroll_end > 0) && ($selfenroll_end <= $now)) {                      if (($selfenroll_end > 0) && ($selfenroll_end <= $now)) {
Line 4303  sub get_domain_handler { Line 4568  sub get_domain_handler {
     my ($cmd, $tail, $client) = @_;      my ($cmd, $tail, $client) = @_;
   
   
     my $userinput = "$client:$tail";      my $userinput = "$cmd:$tail";
   
       my ($udom,$namespace,$what)=split(/:/,$tail,3);
       chomp($what);
       if ($namespace =~ /^enc/) {
           &Failure( $client, "refused\n", $userinput);
       } else {
           my @queries=split(/\&/,$what);
           my $qresult='';
           my $hashref = &tie_domain_hash($udom, "$namespace", &GDBM_READER());
           if ($hashref) {
               for (my $i=0;$i<=$#queries;$i++) {
                   $qresult.="$hashref->{$queries[$i]}&";
               }
               if (&untie_domain_hash($hashref)) {
                   $qresult=~s/\&$//;
                   &Reply($client, \$qresult, $userinput);
               } else {
                   &Failure( $client, "error: ".($!+0)." untie(GDBM) Failed ".
                             "while attempting getdom\n",$userinput);
               }
           } else {
               &Failure($client, "error: ".($!+0)." tie(GDBM) Failed ".
                        "while attempting getdom\n",$userinput);
           }
       }
   
       return 1;
   }
   &register_handler("getdom", \&get_domain_handler, 0, 1, 0);
   
   sub encrypted_get_domain_handler {
       my ($cmd, $tail, $client) = @_;
   
       my $userinput = "$cmd:$tail";
   
     my ($udom,$namespace,$what)=split(/:/,$tail,3);      my ($udom,$namespace,$what)=split(/:/,$tail,3);
     chomp($what);      chomp($what);
Line 4316  sub get_domain_handler { Line 4615  sub get_domain_handler {
         }          }
         if (&untie_domain_hash($hashref)) {          if (&untie_domain_hash($hashref)) {
             $qresult=~s/\&$//;              $qresult=~s/\&$//;
             &Reply($client, \$qresult, $userinput);              if ($cipher) {
                   my $cmdlength=length($qresult);
                   $qresult.="         ";
                   my $encqresult='';
                   for (my $encidx=0;$encidx<=$cmdlength;$encidx+=8) {
                       $encqresult.= unpack("H16",
                                            $cipher->encrypt(substr($qresult,
                                                                    $encidx,
                                                                    8)));
                   }
                   &Reply( $client, "enc:$cmdlength:$encqresult\n", $userinput);
               } else {
                   &Failure( $client, "error:no_key\n", $userinput);
               }
         } else {          } else {
             &Failure( $client, "error: ".($!+0)." untie(GDBM) Failed ".              &Failure( $client, "error: ".($!+0)." untie(GDBM) Failed ".
                       "while attempting getdom\n",$userinput);                        "while attempting egetdom\n",$userinput);
         }          }
     } else {      } else {
         &Failure($client, "error: ".($!+0)." tie(GDBM) Failed ".          &Failure($client, "error: ".($!+0)." tie(GDBM) Failed ".
                  "while attempting getdom\n",$userinput);                   "while attempting egetdom\n",$userinput);
     }      }
   
     return 1;      return 1;
 }  }
 &register_handler("getdom", \&get_domain_handler, 0, 1, 0);  &register_handler("egetdom", \&encrypted_get_domain_handler, 1, 1, 0);
   
 #  #
 #  Puts an id to a domains id database.   #  Puts an id to a domains id database. 
Line 5124  sub validate_course_section_handler { Line 5435  sub validate_course_section_handler {
 # Formal Parameters:  # Formal Parameters:
 #    $cmd     - The command request that got us dispatched.  #    $cmd     - The command request that got us dispatched.
 #    $tail    - The tail of the command.   In this case this is a colon separated  #    $tail    - The tail of the command.   In this case this is a colon separated
 #               set of words that will be split into:  #               set of values that will be split into:
 #               $inst_class  - Institutional code for the specific class section     #               $inst_class  - Institutional code for the specific class section   
 #               $courseowner - The escaped username:domain of the course owner   #               $ownerlist   - An escaped comma-separated list of username:domain
   #                              of the course owner, and co-owner(s).
 #               $cdom        - The domain of the course from the institution's  #               $cdom        - The domain of the course from the institution's
 #                              point of view.  #                              point of view.
 #    $client  - The socket open on the client.  #    $client  - The socket open on the client.
Line 5151  sub validate_class_access_handler { Line 5463  sub validate_class_access_handler {
 &register_handler("autovalidateclass_sec", \&validate_class_access_handler, 0, 1, 0);  &register_handler("autovalidateclass_sec", \&validate_class_access_handler, 0, 1, 0);
   
 #  #
   #   Validate course owner or co-owners(s) access to enrollment data for all sections
   #   and crosslistings for a particular course.
   #
   #
   # Formal Parameters:
   #    $cmd     - The command request that got us dispatched.
   #    $tail    - The tail of the command.   In this case this is a colon separated
   #               set of values that will be split into:
   #               $ownerlist   - An escaped comma-separated list of username:domain
   #                              of the course owner, and co-owner(s).
   #               $cdom        - The domain of the course from the institution's
   #                              point of view.
   #               $classes     - Frozen hash of institutional course sections and
   #                              crosslistings.
   #    $client  - The socket open on the client.
   # Returns:
   #    1 - continue processing.
   #
   
   sub validate_classes_handler {
       my ($cmd, $tail, $client) = @_;
       my $userinput = "$cmd:$tail";
       my ($ownerlist,$cdom,$classes) = split(/:/, $tail);
       my $classesref = &Apache::lonnet::thaw_unescape($classes);
       my $owners = &unescape($ownerlist);
       my $result;
       eval {
           local($SIG{__DIE__})='DEFAULT';
           my %validations;
           my $response = &localenroll::check_instclasses($owners,$cdom,$classesref,
                                                          \%validations);
           if ($response eq 'ok') {
               foreach my $key (keys(%validations)) {
                   $result .= &escape($key).'='.&Apache::lonnet::freeze_escape($validations{$key}).'&';
               }
               $result =~ s/\&$//;
           } else {
               $result = 'error';
           }
       };
       if (!$@) {
           &Reply($client, \$result, $userinput);
       } else {
           &Failure($client,"unknown_cmd\n",$userinput);
       }
       return 1;
   }
   &register_handler("autovalidateinstclasses", \&validate_classes_handler, 0, 1, 0);
   
   #
 #   Create a password for a new LON-CAPA user added by auto-enrollment.  #   Create a password for a new LON-CAPA user added by auto-enrollment.
 #   Only used for case where authentication method for new user is localauth  #   Only used for case where authentication method for new user is localauth
 #  #
Line 5185  sub create_auto_enroll_password_handler Line 5547  sub create_auto_enroll_password_handler
 &register_handler("autocreatepassword", \&create_auto_enroll_password_handler,   &register_handler("autocreatepassword", \&create_auto_enroll_password_handler, 
   0, 1, 0);    0, 1, 0);
   
   sub auto_export_grades_handler {
       my ($cmd, $tail, $client) = @_;
       my $userinput = "$cmd:$tail";
       my ($cdom,$cnum,$info,$data) = split(/:/,$tail);
       my $inforef = &Apache::lonnet::thaw_unescape($info);
       my $dataref = &Apache::lonnet::thaw_unescape($data);
       my ($outcome,$result);;
       eval {
           local($SIG{__DIE__})='DEFAULT';
           my %rtnhash;
           $outcome=&localenroll::export_grades($cdom,$cnum,$inforef,$dataref,\%rtnhash);
           if ($outcome eq 'ok') {
               foreach my $key (keys(%rtnhash)) {
                   $result .= &escape($key).'='.&Apache::lonnet::freeze_escape($rtnhash{$key}).'&';
               }
               $result =~ s/\&$//;
           }
       };
       if (!$@) {
           if ($outcome eq 'ok') {
               if ($cipher) {
                   my $cmdlength=length($result);
                   $result.="         ";
                   my $encresult='';
                   for (my $encidx=0;$encidx<=$cmdlength;$encidx+=8) {
                       $encresult.= unpack("H16",
                                           $cipher->encrypt(substr($result,
                                                                   $encidx,
                                                                   8)));
                   }
                   &Reply( $client, "enc:$cmdlength:$encresult\n", $userinput);
               } else {
                   &Failure( $client, "error:no_key\n", $userinput);
               }
           } else {
               &Reply($client, "$outcome\n", $userinput);
           }
       } else {
           &Failure($client,"export_error\n",$userinput);
       }
       return 1;
   }
   &register_handler("autoexportgrades", \&auto_export_grades_handler,
                     1, 1, 0);
   
   
 #   Retrieve and remove temporary files created by/during autoenrollment.  #   Retrieve and remove temporary files created by/during autoenrollment.
 #  #
 # Formal Parameters:  # Formal Parameters:
 #    $cmd      - The command that got us dispatched.  #    $cmd      - The command that got us dispatched.
 #    $tail     - The tail of the command.  In our case this is a colon   #    $tail     - The tail of the command.  In our case this is a colon 
 #                separated list that will be split into:  #                separated list that will be split into:
 #                $filename - The name of the file to remove.  #                $filename - The name of the file to retrieve.
 #                            The filename is given as a path relative to  #                            The filename is given as a path relative to
 #                            the LonCAPA temp file directory.  #                            the LonCAPA temp file directory.
 #    $client   - Socket open on the client.  #    $client   - Socket open on the client.
Line 5205  sub retrieve_auto_file_handler { Line 5613  sub retrieve_auto_file_handler {
     my ($filename)   = split(/:/, $tail);      my ($filename)   = split(/:/, $tail);
   
     my $source = $perlvar{'lonDaemons'}.'/tmp/'.$filename;      my $source = $perlvar{'lonDaemons'}.'/tmp/'.$filename;
     if ( (-e $source) && ($filename ne '') ) {      if ($filename =~m{/\.\./}) {
           &Failure($client, "refused\n", $userinput);
       } elsif ($filename !~ /^$LONCAPA::match_domain\_$LONCAPA::match_courseid\_.+_classlist\.xml$/) {
           &Failure($client, "refused\n", $userinput);
       } elsif ( (-e $source) && ($filename ne '') ) {
  my $reply = '';   my $reply = '';
  if (open(my $fh,$source)) {   if (open(my $fh,$source)) {
     while (<$fh>) {      while (<$fh>) {
Line 5237  sub crsreq_checks_handler { Line 5649  sub crsreq_checks_handler {
     my $userinput = "$cmd:$tail";      my $userinput = "$cmd:$tail";
     my $dom = $tail;      my $dom = $tail;
     my $result;      my $result;
     my @reqtypes = ('official','unofficial','community');      my @reqtypes = ('official','unofficial','community','textbook');
     eval {      eval {
         local($SIG{__DIE__})='DEFAULT';          local($SIG{__DIE__})='DEFAULT';
         my %validations;          my %validations;
Line 5264  sub crsreq_checks_handler { Line 5676  sub crsreq_checks_handler {
 sub validate_crsreq_handler {  sub validate_crsreq_handler {
     my ($cmd, $tail, $client) = @_;      my ($cmd, $tail, $client) = @_;
     my $userinput = "$cmd:$tail";      my $userinput = "$cmd:$tail";
     my ($dom,$owner,$crstype,$inststatuslist,$instcode,$instseclist) = split(/:/, $tail);      my ($dom,$owner,$crstype,$inststatuslist,$instcode,$instseclist,$customdata) = split(/:/, $tail);
     $instcode = &unescape($instcode);      $instcode = &unescape($instcode);
     $owner = &unescape($owner);      $owner = &unescape($owner);
     $crstype = &unescape($crstype);      $crstype = &unescape($crstype);
     $inststatuslist = &unescape($inststatuslist);      $inststatuslist = &unescape($inststatuslist);
     $instcode = &unescape($instcode);      $instcode = &unescape($instcode);
     $instseclist = &unescape($instseclist);      $instseclist = &unescape($instseclist);
       my $custominfo = &Apache::lonnet::thaw_unescape($customdata);
     my $outcome;      my $outcome;
     eval {      eval {
         local($SIG{__DIE__})='DEFAULT';          local($SIG{__DIE__})='DEFAULT';
         $outcome = &localenroll::validate_crsreq($dom,$owner,$crstype,          $outcome = &localenroll::validate_crsreq($dom,$owner,$crstype,
                                                  $inststatuslist,$instcode,                                                   $inststatuslist,$instcode,
                                                  $instseclist);                                                   $instseclist,$custominfo);
     };      };
     if (!$@) {      if (!$@) {
         &Reply($client, \$outcome, $userinput);          &Reply($client, \$outcome, $userinput);
Line 5287  sub validate_crsreq_handler { Line 5700  sub validate_crsreq_handler {
 }  }
 &register_handler("autocrsreqvalidation", \&validate_crsreq_handler, 0, 1, 0);  &register_handler("autocrsreqvalidation", \&validate_crsreq_handler, 0, 1, 0);
   
   sub crsreq_update_handler {
       my ($cmd, $tail, $client) = @_;
       my $userinput = "$cmd:$tail";
       my ($cdom,$cnum,$crstype,$action,$ownername,$ownerdomain,$fullname,$title,$code,
           $accessstart,$accessend,$infohashref) =
           split(/:/, $tail);
       $crstype = &unescape($crstype);
       $action = &unescape($action);
       $ownername = &unescape($ownername);
       $ownerdomain = &unescape($ownerdomain);
       $fullname = &unescape($fullname);
       $title = &unescape($title);
       $code = &unescape($code);
       $accessstart = &unescape($accessstart);
       $accessend = &unescape($accessend);
       my $incoming = &Apache::lonnet::thaw_unescape($infohashref);
       my ($result,$outcome);
       eval {
           local($SIG{__DIE__})='DEFAULT';
           my %rtnhash;
           $outcome = &localenroll::crsreq_updates($cdom,$cnum,$crstype,$action,
                                                   $ownername,$ownerdomain,$fullname,
                                                   $title,$code,$accessstart,$accessend,
                                                   $incoming,\%rtnhash);
           if ($outcome eq 'ok') {
               my @posskeys = qw(createdweb createdmsg createdcustomized createdactions queuedweb queuedmsg formitems reviewweb validationjs onload javascript);
               foreach my $key (keys(%rtnhash)) {
                   if (grep(/^\Q$key\E/,@posskeys)) {
                       $result .= &escape($key).'='.&Apache::lonnet::freeze_escape($rtnhash{$key}).'&';
                   }
               }
               $result =~ s/\&$//;
           }
       };
       if (!$@) {
           if ($outcome eq 'ok') {
               &Reply($client, \$result, $userinput);
           } else {
               &Reply($client, "format_error\n", $userinput);
           }
       } else {
           &Failure($client,"unknown_cmd\n",$userinput);
       }
       return 1;
   }
   &register_handler("autocrsrequpdate", \&crsreq_update_handler, 0, 1, 0);
   
 #  #
 #   Read and retrieve institutional code format (for support form).  #   Read and retrieve institutional code format (for support form).
 # Formal Parameters:  # Formal Parameters:
Line 6479  sub make_new_child { Line 6939  sub make_new_child {
 #        my $tmpsnum=0;            # Now global  #        my $tmpsnum=0;            # Now global
 #---------------------------------------------------- kerberos 5 initialization  #---------------------------------------------------- kerberos 5 initialization
         &Authen::Krb5::init_context();          &Authen::Krb5::init_context();
  unless (($dist eq 'fedora5') || ($dist eq 'fedora4') ||    
  ($dist eq 'fedora6') || ($dist eq 'suse9.3') ||          my $no_ets;
                 ($dist eq 'suse12.2') || ($dist eq 'suse12.3')) {          if ($dist =~ /^(?:centos|rhes|scientific)(\d+)$/) {
     &Authen::Krb5::init_ets();              if ($1 >= 7) {
  }                  $no_ets = 1;
               }
           } elsif ($dist =~ /^suse(\d+\.\d+)$/) {
               if (($1 eq '9.3') || ($1 >= 12.2)) {
                   $no_ets = 1;
               }
           } elsif ($dist =~ /^sles(\d+)$/) {
               if ($1 > 11) {
                   $no_ets = 1;
               }
           } elsif ($dist =~ /^fedora(\d+)$/) {
               if ($1 < 7) {
                   $no_ets = 1;
               }
           }
           unless ($no_ets) {
               &Authen::Krb5::init_ets();
           }
   
  &status('Accepted connection');   &status('Accepted connection');
 # =============================================================================  # =============================================================================
Line 6597  sub make_new_child { Line 7074  sub make_new_child {
   ."Attempted insecure connection disallowed </font>");    ."Attempted insecure connection disallowed </font>");
  close $client;   close $client;
  $clientok = 0;   $clientok = 0;
   
     }      }
  }   }
     } else {      } else {
Line 6606  sub make_new_child { Line 7082  sub make_new_child {
  ."$clientip failed to initialize: >$remotereq< </font>");   ."$clientip failed to initialize: >$remotereq< </font>");
  &status('No init '.$clientip);   &status('No init '.$clientip);
     }      }
       
  } else {   } else {
     &logthis(      &logthis(
      "<font color='blue'>WARNING: Unknown client $clientip</font>");       "<font color='blue'>WARNING: Unknown client $clientip</font>");
Line 6764  sub password_filename { Line 7239  sub password_filename {
 #    domain    - domain of the user.  #    domain    - domain of the user.
 #    name      - User's name.  #    name      - User's name.
 #    contents  - New contents of the file.  #    contents  - New contents of the file.
   #    saveold   - (optional). If true save old file in a passwd.bak file.
 # Returns:  # Returns:
 #   0    - Failed.  #   0    - Failed.
 #   1    - Success.  #   1    - Success.
 #  #
 sub rewrite_password_file {  sub rewrite_password_file {
     my ($domain, $user, $contents) = @_;      my ($domain, $user, $contents, $saveold) = @_;
   
     my $file = &password_filename($domain, $user);      my $file = &password_filename($domain, $user);
     if (defined $file) {      if (defined $file) {
           if ($saveold) {
               my $bakfile = $file.'.bak';
               if (CopyFile($file,$bakfile)) {
                   chmod(0400,$bakfile);
                   &logthis("Old password saved in passwd.bak for internally authenticated user: $user:$domain");
               } else {
                   &logthis("Failed to save old password in passwd.bak for internally authenticated user: $user:$domain");
               }
           }
  my $pf = IO::File->new(">$file");   my $pf = IO::File->new(">$file");
  if($pf) {   if($pf) {
     print $pf "$contents\n";      print $pf "$contents\n";
Line 6863  sub validate_user { Line 7348  sub validate_user {
                 $contentpwd = $domdefaults{'auth_arg_def'};                   $contentpwd = $domdefaults{'auth_arg_def'}; 
             }              }
         }          }
     }       }
     if ($howpwd ne 'nouser') {      if ($howpwd ne 'nouser') {
  if($howpwd eq "internal") { # Encrypted is in local password file.   if($howpwd eq "internal") { # Encrypted is in local password file.
     $validated = (crypt($password, $contentpwd) eq $contentpwd);              if (length($contentpwd) == 13) {
                   $validated = (crypt($password,$contentpwd) eq $contentpwd);
                   if ($validated) {
                       my %domdefaults = &Apache::lonnet::get_domain_defaults($domain);
                       if ($domdefaults{'intauth_switch'}) {
                           my $ncpass = &hash_passwd($domain,$password);
                           my $saveold;
                           if ($domdefaults{'intauth_switch'} == 2) {
                               $saveold = 1;
                           }
                           if (&rewrite_password_file($domain,$user,"$howpwd:$ncpass",$saveold)) {
                               &update_passwd_history($user,$domain,$howpwd,'conversion');
                               &logthis("Validated password hashed with bcrypt for $user:$domain");
                           }
                       }
                   }
               } else {
                   $validated = &check_internal_passwd($password,$contentpwd,$domain,$user);
               }
  }   }
  elsif ($howpwd eq "unix") { # User is a normal unix user.   elsif ($howpwd eq "unix") { # User is a normal unix user.
     $contentpwd = (getpwnam($user))[1];      $contentpwd = (getpwnam($user))[1];
Line 6934  sub validate_user { Line 7437  sub validate_user {
     return $validated;      return $validated;
 }  }
   
   sub check_internal_passwd {
       my ($plainpass,$stored,$domain,$user) = @_;
       my (undef,$method,@rest) = split(/!/,$stored);
       if ($method eq 'bcrypt') {
           my $result = &hash_passwd($domain,$plainpass,@rest);
           if ($result ne $stored) {
               return 0;
           }
           my %domdefaults = &Apache::lonnet::get_domain_defaults($domain);
           if ($domdefaults{'intauth_check'}) {
               # Upgrade to a larger number of rounds if necessary
               my $defaultcost = $domdefaults{'intauth_cost'};
               if (($defaultcost eq '') || ($defaultcost =~ /D/)) {
                   $defaultcost = 10;
               }
               if (int($rest[0])<int($defaultcost)) {
                   if ($domdefaults{'intauth_check'} == 1) {
                       my $ncpass = &hash_passwd($domain,$plainpass);
                       if (&rewrite_password_file($domain,$user,"internal:$ncpass")) {
                           &update_passwd_history($user,$domain,'internal','update cost');
                           &logthis("Validated password hashed with bcrypt for $user:$domain");
                       }
                       return 1;
                   } elsif ($domdefaults{'intauth_check'} == 2) {
                       return 0;
                   }
               }
           } else {
               return 1;
           }
       }
       return 0;
   }
   
   sub get_last_authchg {
       my ($domain,$user) = @_;
       my $lastmod;
       my $logname = &propath($domain,$user).'/passwd.log';
       if (-e "$logname") {
           $lastmod = (stat("$logname"))[9];
       }
       return $lastmod;
   }
   
 sub krb4_authen {  sub krb4_authen {
     my ($password,$null,$user,$contentpwd) = @_;      my ($password,$null,$user,$contentpwd) = @_;
     my $validated = 0;      my $validated = 0;
Line 7249  sub change_unix_password { Line 7796  sub change_unix_password {
   
   
 sub make_passwd_file {  sub make_passwd_file {
     my ($uname,$udom,$umode,$npass,$passfilename)=@_;      my ($uname,$udom,$umode,$npass,$passfilename,$action)=@_;
     my $result="ok";      my $result="ok";
     if ($umode eq 'krb4' or $umode eq 'krb5') {      if ($umode eq 'krb4' or $umode eq 'krb5') {
  {   {
     my $pf = IO::File->new(">$passfilename");      my $pf = IO::File->new(">$passfilename");
     if ($pf) {      if ($pf) {
  print $pf "$umode:$npass\n";   print $pf "$umode:$npass\n";
                   &update_passwd_history($uname,$udom,$umode,$action);
     } else {      } else {
  $result = "pass_file_failed_error";   $result = "pass_file_failed_error";
     }      }
  }   }
     } elsif ($umode eq 'internal') {      } elsif ($umode eq 'internal') {
  my $salt=time;          my $ncpass = &hash_passwd($udom,$npass);
  $salt=substr($salt,6,2);  
  my $ncpass=crypt($npass,$salt);  
  {   {
     &Debug("Creating internal auth");      &Debug("Creating internal auth");
     my $pf = IO::File->new(">$passfilename");      my $pf = IO::File->new(">$passfilename");
     if($pf) {      if($pf) {
  print $pf "internal:$ncpass\n";    print $pf "internal:$ncpass\n"; 
                   &update_passwd_history($uname,$udom,$umode,$action);
     } else {      } else {
  $result = "pass_file_failed_error";   $result = "pass_file_failed_error";
     }      }
Line 7278  sub make_passwd_file { Line 7825  sub make_passwd_file {
     my $pf = IO::File->new(">$passfilename");      my $pf = IO::File->new(">$passfilename");
     if($pf) {      if($pf) {
  print $pf "localauth:$npass\n";   print $pf "localauth:$npass\n";
                   &update_passwd_history($uname,$udom,$umode,$action);
     } else {      } else {
  $result = "pass_file_failed_error";   $result = "pass_file_failed_error";
     }      }
Line 7348  sub get_usersession_config { Line 7896  sub get_usersession_config {
     return;      return;
 }  }
   
   sub get_usersearch_config {
       my ($dom,$name) = @_;
       my ($usersearchconf,$cached)=&Apache::lonnet::is_cached_new($name,$dom);
       if (defined($cached)) {
           return $usersearchconf;
       } else {
           my %domconfig = &Apache::lonnet::get_dom('configuration',['directorysrch'],$dom);
           &Apache::lonnet::do_cache_new($name,$dom,$domconfig{'directorysrch'},3600);
           return $domconfig{'directorysrch'};
       }
       return;
   }
   
 sub distro_and_arch {  sub distro_and_arch {
     return $dist.':'.$arch;      return $dist.':'.$arch;

Removed from v.1.489.2.9  
changed lines
  Added in v.1.489.2.28.2.2


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>