# The LearningOnline Network # User Authentication Module # # $Id: lonauth.pm,v 1.162 2020/12/18 15:23:03 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # # This file is part of the LearningOnline Network with CAPA (LON-CAPA). # # LON-CAPA is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # LON-CAPA is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with LON-CAPA; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # /home/httpd/html/adm/gpl.txt # # http://www.lon-capa.org/ # package Apache::lonauth; use strict; use LONCAPA qw(:DEFAULT :match); use Apache::Constants qw(:common); use CGI qw(:standard); use Apache::loncommon(); use Apache::lonnet; use Apache::lonmenu(); use Apache::createaccount; use Apache::ltiauth; use Fcntl qw(:flock); use Apache::lonlocal; use Apache::File(); use HTML::Entities; use Digest::MD5; # ------------------------------------------------------------ Successful login sub success { my ($r, $username, $domain, $authhost, $lowerurl, $extra_env, $form,$skipcritical,$cid) = @_; # ------------------------------------------------------------ Get cookie ready my $cookie = &Apache::loncommon::init_user_environment($r, $username, $domain, $authhost, $form, {'extra_env' => $extra_env,}); my $public=($username eq 'public' && $domain eq 'public'); if ($public or $lowerurl eq 'noredirect') { return $cookie; } # -------------------------------------------------------------------- Log this my $ip = &Apache::lonnet::get_requestor_ip(); &Apache::lonnet::log($domain,$username,$authhost, "Login $ip"); # ------------------------------------------------- Check for critical messages unless ($skipcritical) { my @what=&Apache::lonnet::dump('critical',$domain,$username); if ($what[0]) { if (($what[0] ne 'con_lost') && ($what[0]!~/^error\:/)) { $lowerurl='/adm/email?critical=display'; } } } # ----------------------------------------------------------- Get cookies ready my ($securecookie,$defaultcookie); my $ssl = $r->subprocess_env('https'); if ($ssl) { $securecookie="lonSID=$cookie; path=/; HttpOnly; secure"; my $lonidsdir=$r->dir_config('lonIDsDir'); if (($lonidsdir) && (-e "$lonidsdir/$cookie.id")) { my $linkname=substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$)), 0, 32).'_linked'; if (-e "$lonidsdir/$linkname.id") { unlink("$lonidsdir/$linkname.id"); } my $made_symlink = eval { symlink("$lonidsdir/$cookie.id", "$lonidsdir/$linkname.id"); 1 }; if ($made_symlink) { $defaultcookie = "lonLinkID=$linkname; path=/; HttpOnly;"; &Apache::lonnet::appenv({'user.linkedenv' => $linkname}); } } } else { $defaultcookie = "lonID=$cookie; path=/; HttpOnly;"; } # -------------------------------------------------------- Menu script and info my $destination = $lowerurl; if ($env{'request.lti.login'}) { if (($env{'request.lti.reqcrs'}) && ($env{'request.lti.reqrole'} eq 'cc')) { &Apache::loncommon::content_type($r,'text/html'); if ($securecookie) { $r->headers_out->add('Set-cookie' => $securecookie); } if ($defaultcookie) { $r->headers_out->add('Set-cookie' => $defaultcookie); } $r->send_http_header; if (ref($form) eq 'HASH') { $form->{'lti.login'} = $env{'request.lti.login'}; $form->{'lti.reqcrs'} = $env{'request.lti.reqcrs'}; $form->{'lti.reqrole'} = $env{'request.lti.reqrole'}; $form->{'lti.sourcecrs'} = $env{'request.lti.sourcecrs'}; } &Apache::ltiauth::lti_reqcrs($r,$domain,$form,$username,$domain); return; } if ($env{'request.lti.selfenrollrole'}) { if (&Apache::ltiauth::lti_enroll($username,$domain, $env{'request.lti.selfenrollrole'}) eq 'ok') { $form->{'role'} = $env{'request.lti.selfenrollrole'}; &Apache::lonnet::delenv('request.lti.selfenrollrole'); } else { &Apache::ltiauth::invalid_request($r,24); } } } if (defined($form->{role})) { my $envkey = 'user.role.'.$form->{role}; my $now=time; my $then=$env{'user.login.time'}; my $refresh=$env{'user.refresh.time'}; my $update=$env{'user.update.time'}; if (!$update) { $update = $then; } if (exists($env{$envkey})) { my ($role,$where,$trolecode,$tstart,$tend,$tremark,$tstatus); &Apache::lonnet::role_status($envkey,$update,$refresh,$now,\$role,\$where, \$trolecode,\$tstatus,\$tstart,\$tend); if ($tstatus eq 'is') { $destination .= ($destination =~ /\?/) ? '&' : '?'; my $newrole = &HTML::Entities::encode($form->{role},'"<>&'); $destination .= 'selectrole=1&'.$newrole.'=1'; } } } if (defined($form->{symb})) { my $destsymb = $form->{symb}; my $encrypted; if ($destsymb =~ m{^/enc/}) { $encrypted = 1; if ($cid) { $destsymb = &Apache::lonenc::unencrypted($destsymb,$cid); } } $destination .= ($destination =~ /\?/) ? '&' : '?'; if ($destsymb =~ /___/) { my ($map,$resid,$desturl)=split(/___/,$destsymb); $desturl = &Apache::lonnet::clutter($desturl); if ($encrypted) { $desturl = &Apache::lonenc::encrypted($desturl,1,$cid); $destsymb = $form->{symb}; } $desturl = &HTML::Entities::encode($desturl,'"<>&'); $destsymb = &HTML::Entities::encode($destsymb,'"<>&'); $destination .= 'destinationurl='.$desturl. '&destsymb='.$destsymb; } elsif (!$encrypted) { $destsymb = &HTML::Entities::encode($destsymb,'"<>&'); $destination .= 'destinationurl='.$destsymb; } } if ($destination =~ m{^/adm/roles}) { $destination .= ($destination =~ /\?/) ? '&' : '?'; $destination .= 'source=login'; } my $windowname = 'loncapaclient'; if ($env{'request.lti.login'}) { $windowname .= 'lti'; } my $windowinfo = Apache::lonhtmlcommon::scripttag('self.name="'.$windowname.'";'); my $brcrum = [{'href' => '', 'text' => 'Successful Login'},]; my $args = {'bread_crumbs' => $brcrum,}; unless ((defined($form->{role})) || (defined($form->{symb}))) { my $update=$env{'user.update.time'}; if (!$update) { $update = $env{'user.login.time'}; } my %roles_in_env; my $showcount = &Apache::lonroles::roles_from_env(\%roles_in_env,$update); if ($showcount == 1) { foreach my $rolecode (keys(%roles_in_env)) { my ($cid) = ($rolecode =~ m{^\Quser.role.st./\E($match_domain/$match_courseid)(?:/|$)}); if ($cid) { my %coursedescription = &Apache::lonnet::coursedescription($cid,{'one_time' => '1'}); if ($coursedescription{'type'} eq 'Placement') { $args->{'crstype'} = 'Placement'; } last; } } } } # ------------------------------------------------- Output for successful login &Apache::loncommon::content_type($r,'text/html'); if ($securecookie) { $r->headers_out->add('Set-cookie' => $securecookie); } if ($defaultcookie) { $r->headers_out->add('Set-cookie' => $defaultcookie); } $r->send_http_header; my ($start_page,$js,$pagebody,$end_page); if ($env{'request.lti.login'}) { $args = {'only_body' => 1}; if ($env{'request.lti.target'} eq '') { my $ltitarget = (($destination =~ /\?/) ? '&' : '?'). 'ltitarget=iframe'; $js = <<"ENDJS"; ENDJS $args->{'add_entries'} = {'onload' => "javascript:setLTItarget();"}; $pagebody = ''; } else { $args->{'redirect'} = [0,$destination,1]; } $start_page=&Apache::loncommon::start_page('',$js,$args); } else { $args->{'redirect'} = [0,$destination]; $start_page=&Apache::loncommon::start_page('Successful Login', $js,$args); my %lt=&Apache::lonlocal::texthash( 'wel' => 'Welcome', 'pro' => 'Login problems?', ); $pagebody = "
'.&mt('You are already logged in!').'
' .''.&mt('Please either [_1]continue the current session[_2] or [_3]log out[_4].' ,'','','','') .'
' .$end_page ); return OK; } } # ---------------------------------------------------- No valid token, continue my $buffer; if ($r->header_in('Content-length') > 0) { $r->read($buffer,$r->header_in('Content-length'),0); } my %form; foreach my $pair (split(/&/,$buffer)) { my ($name,$value) = split(/=/,$pair); $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg; $form{$name}=$value; } if ((!$form{'uname'}) || (!$form{'upass0'}) || (!$form{'udom'})) { &failed($r,'Username, password and domain need to be specified.', \%form); return OK; } # split user logging in and "su"-user ($form{'uname'},$form{'suname'},$form{'sudom'})=split(/\:/,$form{'uname'}); $form{'uname'} = &LONCAPA::clean_username($form{'uname'}); $form{'suname'}= &LONCAPA::clean_username($form{'suname'}); $form{'udom'} = &LONCAPA::clean_domain($form{'udom'}); $form{'sudom'} = &LONCAPA::clean_domain($form{'sudom'}); my $role = $r->dir_config('lonRole'); my $domain = $r->dir_config('lonDefDomain'); my $prodir = $r->dir_config('lonUsersDir'); my $contact_name = &mt('LON-CAPA helpdesk'); # ---------------------------------------- Get the information from login token my $tmpinfo=Apache::lonnet::reply('tmpget:'.$form{'logtoken'}, $form{'serverid'}); if (($tmpinfo=~/^error/) || ($tmpinfo eq 'con_lost') || ($tmpinfo eq 'no_such_host')) { &failed($r,'Information needed to verify your login information is missing, inaccessible or expired.',\%form); return OK; } else { my $reply = &Apache::lonnet::reply('tmpdel:'.$form{'logtoken'}, $form{'serverid'}); if ( $reply ne 'ok' ) { &failed($r,'Session could not be opened.',\%form); &Apache::lonnet::logthis("ERROR got a reply of $reply when trying to contact ". $form{'serverid'}." to get login token"); return OK; } } if (!&Apache::lonnet::domain($form{'udom'})) { &failed($r,'The domain you provided is not a valid LON-CAPA domain.',\%form); return OK; } my ($key,$firsturl,$rolestr,$symbstr,$iptokenstr,$linkstr)=split(/&/,$tmpinfo); if ($rolestr) { $rolestr = &unescape($rolestr); } if ($symbstr) { $symbstr= &unescape($symbstr); } if ($iptokenstr) { $iptokenstr = &unescape($iptokenstr); } if ($linkstr) { $linkstr = &unescape($linkstr); } if ($firsturl =~ m{^/tiny/$match_domain/\w+$}) { $form{'firsturl'} = $firsturl; } if ($rolestr =~ /^role=/) { (undef,$form{'role'}) = split('=',$rolestr); } if ($symbstr =~ /^symb=/) { (undef,$form{'symb'}) = split('=',$symbstr); } if ($iptokenstr =~ /^iptoken=/) { (undef,$form{'iptoken'}) = split('=',$iptokenstr); } if ($linkstr =~ /^linkprot=/) { (undef,$form{'linkprot'}) = split('=',$linkstr); } elsif ($linkstr =~ /^linkkey=/) { (undef,$form{'linkkey'}) = split('=',$linkstr); } my $upass = $ENV{HTTPS} ? $form{'upass0'} : &Apache::loncommon::des_decrypt($key,$form{'upass0'}); # ---------------------------------------------------------------- Authenticate my %domconfig = &Apache::lonnet::get_dom('configuration',['usercreation'],$form{'udom'}); my ($cancreate,$statustocreate) = &Apache::createaccount::get_creation_controls($form{'udom'},$domconfig{'usercreation'}); my $defaultauth; if (ref($cancreate) eq 'ARRAY') { if (grep(/^login$/,@{$cancreate})) { $defaultauth = 1; } } my $clientcancheckhost = 1; my $authhost=Apache::lonnet::authenticate($form{'uname'},$upass, $form{'udom'},$defaultauth, $clientcancheckhost); # --------------------------------------------------------------------- Failed? if ($authhost eq 'no_host') { &failed($r,'Username and/or password could not be authenticated.', \%form); return OK; } elsif ($authhost eq 'no_account_on_host') { if ($defaultauth) { my $domdesc = &Apache::lonnet::domain($form{'udom'},'description'); unless (&check_can_host($r,\%form,'no_account_on_host',$domdesc)) { return OK; } my $start_page = &Apache::loncommon::start_page('Create a user account in LON-CAPA'); my $lonhost = $r->dir_config('lonHostID'); my $origmail = $Apache::lonnet::perlvar{'lonSupportEMail'}; my $contacts = &Apache::loncommon::build_recipient_list(undef,'helpdeskmail', $form{'udom'},$origmail); my ($contact_email) = split(',',$contacts); my $output = &Apache::createaccount::username_check($form{'uname'},$form{'udom'}, $domdesc,'',$lonhost, $contact_email,$contact_name, undef,$statustocreate); &Apache::loncommon::content_type($r,'text/html'); $r->send_http_header; &Apache::createaccount::print_header($r,$start_page); $r->print(''.&mt('You will be able to create one by logging into a LON-CAPA server within the [_1] domain.',$domdesc).'
'. ''.&mt('[_1]Log in[_2]','',''). &Apache::loncommon::end_page()); } else { $r->print(&Apache::loncommon::start_page('Access to LON-CAPA unavailable'). '
'.&mt('Currently a LON-CAPA server is not available within the [_1] domain for you to log-in to, to create an account.',$domdesc).'
'. &Apache::loncommon::end_page()); } } else { &success($r,$form->{'uname'},$udom,$authhost,'noredirect',undef, $form); if ($form->{'linkprot'}) { $env{'request.linkprot'} = $form->{'linkprot'}; } elsif ($form->{'firsturl'} =~ m{^/tiny/$match_domain/\w+$}) { if ($form->{'linkkey'}) { $env{'request.linkkey'} = $form->{'linkkey'}; } $env{'request.deeplink.login'} = $form->{'firsturl'}; } my ($otherserver) = &Apache::lonnet::choose_server($udom); $r->internal_redirect('/adm/switchserver?otherserver='.$otherserver); } } return $canhost; } sub noswitch { my $result = &Apache::loncommon::start_page('Access to LON-CAPA unavailable'). ''.&mt('Currently no other LON-CAPA server is available to host your session either.').'
'. &Apache::loncommon::end_page(); return $result; } sub loginhelpdisplay { my ($authdomain) = @_; my $login_help = 1; my $lang = &Apache::lonlocal::current_language(); if ($login_help) { my $dom = $authdomain; if ($dom eq '') { $dom = &Apache::lonnet::default_login_domain(); } my %domconfhash = &Apache::loncommon::get_domainconf($dom); my $loginhelp_url; if ($lang) { $loginhelp_url = $domconfhash{$dom.'.login.helpurl_'.$lang}; if ($loginhelp_url ne '') { return $loginhelp_url; } } $loginhelp_url = $domconfhash{$dom.'.login.helpurl_nolang'}; if ($loginhelp_url ne '') { return $loginhelp_url; } else { return '/adm/loginproblems.html'; } } return; } 1; __END__The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.