1: # The LearningOnline Network
2: # Authorization Handler for webDAV access to Authoring Space.
3: #
4: # $Id: lonwebdavacc.pm,v 1.1 2012/02/27 03:06:33 raeburn Exp $
5: #
6: # Copyright Michigan State University Board of Trustees
7: #
8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
9: #
10: # LON-CAPA is free software; you can redistribute it and/or modify
11: # it under the terms of the GNU General Public License as published by
12: # the Free Software Foundation; either version 2 of the License, or
13: # (at your option) any later version.
14: #
15: # LON-CAPA is distributed in the hope that it will be useful,
16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18: # GNU General Public License for more details.
19: #
20: # You should have received a copy of the GNU General Public License
21: # along with LON-CAPA; if not, write to the Free Software
22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23: #
24: # /home/httpd/html/adm/gpl.txt
25: #
26: # http://www.lon-capa.org/
27: #
28:
29: =pod
30:
31: =head1 NAME
32:
33: Apache::lonwebdavacc - webDAV Authorization Handler
34:
35: =head1 SYNOPSIS
36:
37: Invoked for /+webdav/[\w\-]+/[\w\-]+/ by
38: /etc/httpd/conf/loncapa_apache.conf:
39:
40: PerlAccessHandler Apache::lonwebdavacc
41:
42: =head1 INTRODUCTION
43:
44: This module enables authorization for authoring space
45: and is used to control access for the following type of URI:
46:
47: <LocationMatch "^/webdav/[\w\-]+/[\w\-]+>
48:
49: This module is only called following successful authentication.
50: Unless lonOtherAuthen has been set, so Single Sign On can be used,
51: successful authentication will have created a session file and
52: transferred the contents to the user's environment.
53:
54: In the case of SSO, there is no existing user environment, but
55: $r->user will have been set to the user's username, following
56: successful authentication. For SSO, the webDAV session file
57: and environment are set up by a call to
58: Apache::lonwebdavauth::init_webdav_env().
59:
60: Note: because Apache Basic Auth is used for authentication (unless SSO)
61: webDAV access is only available for servers running Apache with SSL.
62:
63: This is part of the LearningOnline Network with CAPA project
64: described at http://www.lon-capa.org.
65:
66: =head1 HANDLER SUBROUTINE
67:
68: This routine is called by Apache and mod_perl.
69:
70: =over 4
71:
72: =item *
73:
74: Checks if $env{'user.environment'} is defined.
75:
76: =item *
77:
78: If no %env, this was SSO authentication so call to &sso_login() to
79: create session, and return cookie.
80:
81: =item *
82:
83: Checks if requested URL (of form /webdav/authordomain/authorname) is valid
84: and whether authenticated user has an active author or co-author
85: role in the corresonding Author Space.
86:
87: =back
88:
89: =head1 NOTABLE SUBROUTINES
90:
91: =over
92:
93: =item * sso_login()
94:
95: =over
96:
97: =item *
98:
99: Called if no user.environment exists in %env.
100:
101: =item *
102:
103: Checks if $r->user contains a valid user.
104:
105: =item *
106:
107: Domain is set either from lonSSOUserDomain perlvar (if defined)
108: or from lonDefDomain perlvar.
109:
110: =item *
111:
112: For a valid user a new session file and is created, and the corresponding
113: cookie is returned to the client in an Apache response header.
114:
115: =back
116:
117: =back
118:
119: =cut
120:
121: package Apache::lonwebdavacc;
122:
123: use strict;
124: use GDBM_File;
125: use Apache::Constants qw(:common :http :methods);
126: use Apache::lonnet;
127: use LONCAPA qw(:DEFAULT :match);
128:
129: sub handler {
130: my $r = shift;
131: my $timetolive = 600;
132: my $now = time;
133: my $sessiondir=$r->dir_config('lonDAVsessDir');
134:
135: my ($adom,$aname);
136: unless ($env{'user.environment'}) {
137: my $handle = &Apache::lonnet::check_for_valid_session($r,'lonDAV');
138: if ($handle eq '') {
139: $handle = &sso_login($r,$sessiondir,$now,$timetolive);
140: if ($handle eq '') {
141: return FORBIDDEN;
142: }
143: } else {
144: &Apache::lonnet::transfer_profile_to_env($sessiondir,$handle);
145: }
146: }
147: my $uhome=&Apache::lonnet::homeserver($env{'user.name'},$env{'user.domain'});
148: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
149: return FORBIDDEN;
150: }
151:
152: ($adom,$aname) = ($r->uri =~ m{^/webdav/($match_domain)/($match_username)/});
153: my $docroot = $r->dir_config('lonDocRoot');
154: if ($adom eq '' || $aname eq '') {
155: return FORBIDDEN;
156: } elsif (!-d "$docroot/priv/$adom/$aname") {
157: return FORBIDDEN;
158: }
159: # FIXME method check for MKCOL MOVE PUT DELETE for *.log, *.bak
160: # FIXME method check for regexp for "version-style" names: /\.\d+\.\w+$/
161: # for MOVE PUT MKCOL
162: if (($env{'user.name'} eq $aname) && ($env{'user.domain'} eq $adom)) {
163: if ($env{"user.role.au./$adom/"}) {
164: return OK;
165: }
166: } else {
167: if (($env{"user.role.ca./$adom/$aname"}) ||
168: (env{"user.role.aa./$adom/$aname"})) {
169: return OK;
170: }
171: }
172: return FORBIDDEN;
173: }
174:
175: sub sso_login {
176: my ($r,$sessiondir,$now,$timetolive) = @_;
177: my ($uname,$udom);
178: my ($uname) = ($r->user =~ m/([a-zA-Z0-9_\-@.]*)/);
179: unless ($uname =~ /^$match_username$/) {
180: return;
181: }
182: $udom = $r->dir_config('lonSSOUserDomain');
183: if ($udom eq '') {
184: $udom = $r->dir_config('lonDefDomain');
185: }
186: unless (($udom =~ /^$match_domain$/)) {
187: return;
188: }
189: my $uhome = &Apache::lonnet::homeserver($uname,$udom);
190: if ($uhome =~ /^(con_lost|no_host|no_such_host)$/) {
191: return;
192: }
193: my $handle =
194: &Apache::lonwebdavauth::init_webdav_env($sessiondir,$uname,$udom,
195: $uhome,$now,$timetolive);
196: if ($handle ne '') {
197: my $cookie = "lonDAV=$handle; path=/webdav/; secure; HttpOnly;";
198: $r->header_out('Set-cookie' => $cookie);
199: $r->send_http_header;
200: }
201: return ($handle);
202: }
203:
204: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>