--- loncom/auth/lonauth.pm 2014/02/26 20:46:45 1.121.2.9
+++ loncom/auth/lonauth.pm 2020/05/02 15:29:40 1.121.2.19
@@ -1,7 +1,7 @@
# The LearningOnline Network
# User Authentication Module
#
-# $Id: lonauth.pm,v 1.121.2.9 2014/02/26 20:46:45 raeburn Exp $
+# $Id: lonauth.pm,v 1.121.2.19 2020/05/02 15:29:40 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -32,8 +32,6 @@ use strict;
use LONCAPA;
use Apache::Constants qw(:common);
use CGI qw(:standard);
-use DynaLoader; # for Crypt::DES version
-use Crypt::DES;
use Apache::loncommon();
use Apache::lonnet;
use Apache::lonmenu();
@@ -42,11 +40,12 @@ use Fcntl qw(:flock);
use Apache::lonlocal;
use Apache::File();
use HTML::Entities;
+use Digest::MD5;
# ------------------------------------------------------------ Successful login
sub success {
my ($r, $username, $domain, $authhost, $lowerurl, $extra_env,
- $form) = @_;
+ $form,$cid) = @_;
# ------------------------------------------------------------ Get cookie ready
my $cookie =
@@ -72,8 +71,27 @@ sub success {
}
}
-# ------------------------------------------------------------ Get cookie ready
- $cookie="lonID=$cookie; path=/";
+# ------------------------------------------------------------ Get cookies ready
+ my ($securecookie,$defaultcookie);
+ my $ssl = $r->subprocess_env('https');
+ if ($ssl) {
+ $securecookie="lonSID=$cookie; path=/; HttpOnly; secure";
+ my $lonidsdir=$r->dir_config('lonIDsDir');
+ if (($lonidsdir) && (-e "$lonidsdir/$cookie.id")) {
+ my $linkname=substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$)), 0, 32).'_linked';
+ if (-e "$lonidsdir/$linkname.id") {
+ unlink("$lonidsdir/$linkname.id");
+ }
+ my $made_symlink = eval { symlink("$lonidsdir/$cookie.id",
+ "$lonidsdir/$linkname.id"); 1 };
+ if ($made_symlink) {
+ $defaultcookie = "lonLinkID=$linkname; path=/; HttpOnly;";
+ &Apache::lonnet::appenv({'user.linkedenv' => $linkname});
+ }
+ }
+ } else {
+ $defaultcookie = "lonID=$cookie; path=/; HttpOnly;";
+ }
# -------------------------------------------------------- Menu script and info
my $destination = $lowerurl;
@@ -99,18 +117,26 @@ sub success {
}
if (defined($form->{symb})) {
my $destsymb = $form->{symb};
+ my $encrypted;
+ if ($destsymb =~ m{^/enc/}) {
+ $encrypted = 1;
+ if ($cid) {
+ $destsymb = &Apache::lonenc::unencrypted($destsymb,$cid);
+ }
+ }
$destination .= ($destination =~ /\?/) ? '&' : '?';
if ($destsymb =~ /___/) {
- # FIXME Need to deal with encrypted symbs and urls as needed.
my ($map,$resid,$desturl)=split(/___/,$destsymb);
- unless ($desturl=~/^(adm|editupload|public)/) {
- $desturl = &Apache::lonnet::clutter($desturl);
+ $desturl = &Apache::lonnet::clutter($desturl);
+ if ($encrypted) {
+ $desturl = &Apache::lonenc::encrypted($desturl,1,$cid);
+ $destsymb = $form->{symb};
}
$desturl = &HTML::Entities::encode($desturl,'"<>&');
$destsymb = &HTML::Entities::encode($destsymb,'"<>&');
$destination .= 'destinationurl='.$desturl.
'&destsymb='.$destsymb;
- } else {
+ } elsif (!$encrypted) {
$destsymb = &HTML::Entities::encode($destsymb,'"<>&');
$destination .= 'destinationurl='.$destsymb;
}
@@ -140,7 +166,12 @@ sub success {
# ------------------------------------------------- Output for successful login
&Apache::loncommon::content_type($r,'text/html');
- $r->header_out('Set-cookie' => $cookie);
+ if ($securecookie) {
+ $r->headers_out->add('Set-cookie' => $securecookie);
+ }
+ if ($defaultcookie) {
+ $r->headers_out->add('Set-cookie' => $defaultcookie);
+ }
$r->send_http_header;
my %lt=&Apache::lonlocal::texthash(
@@ -165,6 +196,7 @@ $maincall
$continuelink
$end_page
ENDSUCCESS
+ return;
}
# --------------------------------------------------------------- Failed login!
@@ -239,7 +271,6 @@ sub reroute {
sub handler {
my $r = shift;
my $londocroot = $r->dir_config('lonDocRoot');
- my $form;
# Are we re-routing?
if (-e "$londocroot/lon-status/reroute.txt") {
&reroute($r);
@@ -303,10 +334,11 @@ sub handler {
# split user logging in and "su"-user
- ($form{'uname'},$form{'suname'})=split(/\:/,$form{'uname'});
+ ($form{'uname'},$form{'suname'},$form{'sudom'})=split(/\:/,$form{'uname'});
$form{'uname'} = &LONCAPA::clean_username($form{'uname'});
$form{'suname'}= &LONCAPA::clean_username($form{'suname'});
- $form{'udom'} = &LONCAPA::clean_domain( $form{'udom'});
+ $form{'udom'} = &LONCAPA::clean_domain($form{'udom'});
+ $form{'sudom'} = &LONCAPA::clean_domain($form{'sudom'});
my $role = $r->dir_config('lonRole');
my $domain = $r->dir_config('lonDefDomain');
@@ -318,12 +350,6 @@ sub handler {
my $tmpinfo=Apache::lonnet::reply('tmpget:'.$form{'logtoken'},
$form{'serverid'});
- my %sessiondata;
- if ($form{'iptoken'}) {
- %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
- my $delete = &Apache::lonnet::tmpdel($form{'token'});
- }
-
if (($tmpinfo=~/^error/) || ($tmpinfo eq 'con_lost') ||
($tmpinfo eq 'no_such_host')) {
&failed($r,'Information needed to verify your login information is missing, inaccessible or expired.',\%form);
@@ -343,40 +369,27 @@ sub handler {
return OK;
}
- my ($key,$firsturl,$rolestr,$symbstr)=split(/&/,$tmpinfo);
+ my ($key,$firsturl,$rolestr,$symbstr,$iptokenstr)=split(/&/,$tmpinfo);
if ($rolestr) {
$rolestr = &unescape($rolestr);
}
if ($symbstr) {
$symbstr= &unescape($symbstr);
}
+ if ($iptokenstr) {
+ $iptokenstr = &unescape($iptokenstr);
+ }
if ($rolestr =~ /^role=/) {
(undef,$form{'role'}) = split('=',$rolestr);
}
if ($symbstr =~ /^symb=/) {
(undef,$form{'symb'}) = split('=',$symbstr);
}
-
- my $keybin=pack("H16",$key);
-
- my $cipher;
- if ($Crypt::DES::VERSION>=2.03) {
- $cipher=new Crypt::DES $keybin;
- }
- else {
- $cipher=new DES $keybin;
+ if ($iptokenstr =~ /^iptoken=/) {
+ (undef,$form{'iptoken'}) = split('=',$iptokenstr);
}
- my $upass='';
- for (my $i=0;$i<=2;$i++) {
- my $chunk=
- $cipher->decrypt(unpack("a8",pack("H16",substr($form{'upass'.$i},0,16))));
- $chunk.=
- $cipher->decrypt(unpack("a8",pack("H16",substr($form{'upass'.$i},16,16))));
-
- $chunk=substr($chunk,1,ord(substr($chunk,0,1)));
- $upass.=$chunk;
- }
+ my $upass = &Apache::loncommon::des_decrypt($key,$form{'upass0'});
# ---------------------------------------------------------------- Authenticate
@@ -440,6 +453,8 @@ sub handler {
my $hosthere;
if ($form{'iptoken'}) {
+ my %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
+ my $delete = &Apache::lonnet::tmpdel($form{'iptoken'});
if (($sessiondata{'domain'} eq $form{'udom'}) &&
($sessiondata{'username'} eq $form{'uname'})) {
$hosthere = 1;
@@ -448,20 +463,68 @@ sub handler {
# --------------------------------- Are we attempting to login as somebody else?
if ($form{'suname'}) {
+ my ($suname,$sudom,$sudomref);
+ $suname = $form{'suname'};
+ $sudom = $form{'udom'};
+ if ($form{'sudom'}) {
+ unless ($sudom eq $form{'sudom'}) {
+ if (&Apache::lonnet::domain($form{'sudom'})) {
+ $sudomref = [$form{'sudom'}];
+ $sudom = $form{'sudom'};
+ }
+ }
+ }
# ------------ see if the original user has enough privileges to pull this stunt
- if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'})) {
+ if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'},$sudomref)) {
# ---------------------------------------------------- see if the su-user exists
- unless (&Apache::lonnet::homeserver($form{'suname'},$form{'udom'})
- eq 'no_host') {
- &Apache::lonnet::logthis(&Apache::lonnet::homeserver($form{'suname'},$form{'udom'}));
+ unless (&Apache::lonnet::homeserver($suname,$sudom) eq 'no_host') {
# ------------------------------ see if the su-user is not too highly privileged
- unless (&Apache::lonnet::privileged($form{'suname'},$form{'udom'})) {
+ if (&Apache::lonnet::privileged($suname,$sudom)) {
+ &Apache::lonnet::logthis('Attempted switch user to privileged user');
+ } else {
+ my $noprivswitch;
+#
+# su-user's home server and user's home server must have one of:
+# (a) same domain
+# (b) same primary library server for the two domains
+# (c) same "internet domain" for primary library server(s) for home servers' domains
+#
+ my $suprim = &Apache::lonnet::domain($sudom,'primary');
+ my $suintdom = &Apache::lonnet::internet_dom($suprim);
+ unless ($sudom eq $form{'udom'}) {
+ my $uprim = &Apache::lonnet::domain($form{'udom'},'primary');
+ my $uintdom = &Apache::lonnet::internet_dom($uprim);
+ unless ($suprim eq $uprim) {
+ unless ($suintdom eq $uintdom) {
+ &Apache::lonnet::logthis('Attempted switch user '
+ .'to user with different "internet domain".');
+ $noprivswitch = 1;
+ }
+ }
+ }
+
+ unless ($noprivswitch) {
+#
+# server where log-in occurs must have same "internet domain" as su-user's home
+# server
+#
+ my $lonhost = $r->dir_config('lonHostID');
+ my $hostintdom = &Apache::lonnet::internet_dom($lonhost);
+ if ($hostintdom ne $suintdom) {
+ &Apache::lonnet::logthis('Attempted switch user on a '
+ .'server with a different "internet domain".');
+ } else {
+
# -------------------------------------------------------- actually switch users
- &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.$form{'udom'}.
- ' logging in as '.$form{'suname'});
- $form{'uname'}=$form{'suname'};
- } else {
- &Apache::lonnet::logthis('Attempted switch user to privileged user');
+
+ &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.
+ $form{'udom'}.' logging in as '.$suname.':'.$sudom);
+ $form{'uname'}=$suname;
+ if ($form{'udom'} ne $sudom) {
+ $form{'udom'}=$sudom;
+ }
+ }
+ }
}
}
} else {
@@ -473,13 +536,25 @@ sub handler {
unless ($hosthere) {
($is_balancer,$otherserver) =
- &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'});
+ &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'},'login');
+ if ($is_balancer) {
+ if ($otherserver eq '') {
+ my $lowest_load;
+ ($otherserver,undef,undef,undef,$lowest_load) = &Apache::lonnet::choose_server($form{'udom'});
+ if ($lowest_load > 100) {
+ $otherserver = &Apache::lonnet::spareserver($lowest_load,$lowest_load,1,$form{'udom'});
+ }
+ }
+ if ($otherserver ne '') {
+ my @hosts = &Apache::lonnet::current_machine_ids();
+ if (grep(/^\Q$otherserver\E$/,@hosts)) {
+ $hosthere = $otherserver;
+ }
+ }
+ }
}
- if ($is_balancer) {
- if (!$otherserver) {
- ($otherserver) = &Apache::lonnet::choose_server($form{'udom'});
- }
+ if (($is_balancer) && (!$hosthere)) {
if ($otherserver) {
&success($r,$form{'uname'},$form{'udom'},$authhost,'noredirect',undef,
\%form);
@@ -547,6 +622,9 @@ sub handler {
return OK;
}
}
+ if (($is_balancer) && ($hosthere)) {
+ $form{'noloadbalance'} = $hosthere;
+ }
&success($r,$form{'uname'},$form{'udom'},$authhost,$firsturl,undef,
\%form);
return OK;
500 Internal Server Error
Internal Server Error
The server encountered an internal error or
misconfiguration and was unable to complete
your request.
Please contact the server administrator at
root@localhost to inform them of the time this error occurred,
and the actions you performed just before this error.
More information about this error may be available
in the server error log.