[LON-CAPA-cvs] cvs: loncom / lond
foxr
lon-capa-cvs@mail.lon-capa.org
Tue, 26 Aug 2003 11:15:57 -0000
foxr Tue Aug 26 07:15:57 2003 EDT
Modified files:
/loncom lond
Log:
Added infrastructure for validating management requests... based on
loncapa host id. In the present testing version, a host is authenticated as
a manager if it is a valid member of the cluster. This will, of course, change
soon.
Index: loncom/lond
diff -u loncom/lond:1.139 loncom/lond:1.140
--- loncom/lond:1.139 Mon Aug 25 11:33:47 2003
+++ loncom/lond Tue Aug 26 07:15:57 2003
@@ -2,7 +2,7 @@
# The LearningOnline Network
# lond "LON Daemon" Server (port "LOND" 5663)
#
-# $Id: lond,v 1.139 2003/08/25 15:33:47 albertel Exp $
+# $Id: lond,v 1.140 2003/08/26 11:15:57 foxr Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -81,12 +81,14 @@
my $status='';
my $lastlog='';
-my $VERSION='$Revision: 1.139 $'; #' stupid emacs
+my $VERSION='$Revision: 1.140 $'; #' stupid emacs
my $remoteVERSION;
my $currenthostid;
my $currentdomainid;
my $client;
+my $clientip;
+
my $server;
my $thisserver;
@@ -133,6 +135,44 @@
#
+# GetCertificate: Given a transaction that requires a certificate,
+# this function will extract the certificate from the transaction
+# request. Note that at this point, the only concept of a certificate
+# is the hostname to which we are connected.
+#
+# Parameter:
+# request - The request sent by our client (this parameterization may
+# need to change when we really use a certificate granting
+# authority.
+#
+sub GetCertificate {
+ my $request = shift;
+
+ return $clientip;
+}
+
+
+#
+# ValidManager: Determines if a given certificate represents a valid manager.
+# in this primitive implementation, the 'certificate' is
+# just the connecting loncapa client name. This is checked
+# against a valid client list in the configuration.
+#
+#
+sub ValidManager {
+ my $certificate = shift;
+
+ my $hostentry = $hostid{$certificate};
+ if ($hostentry ne undef) {
+ &logthis('<font color="yellow">Authenticating manager'.
+ " $hostentry</font>");
+ return 1;
+ } else {
+ &logthis('<font color="red"> Failed manager authentication '.
+ "$certificate </font>");
+ }
+}
+#
# Convert an error return code from lcpasswd to a string value.
#
sub lcpasswdstrerror {
@@ -534,7 +574,6 @@
sigprocmask(SIG_BLOCK, $sigset)
or die "Can't block SIGINT for fork: $!\n";
- my $clientip;
die "fork: $!" unless defined ($pid = fork);
if ($pid) {
@@ -703,10 +742,28 @@
}
#--------------------------------------------------------------------- pushfile
} elsif($userinput =~ /^pushfile/) {
- print $client "ok\n";
+ if($wasenc == 1) {
+ my $cert = GetCertificate($userinput);
+ if(ValidManager($cert)) {
+ print $client "ok\n";
+ } else {
+ print $client "refused\n";
+ }
+ } else {
+ print $client "refused\n";
+ }
#--------------------------------------------------------------------- reinit
} elsif($userinput =~ /^reinit/) {
- print $client "ok\n";
+ if ($wasenc == 1) {
+ my $cert = GetCertificate($userinput);
+ if(ValidManager($cert)) {
+ print $client "ok\n";
+ } else {
+ print $client "refused\n";
+ }
+ } else {
+ print $client "refused\n";
+ }
# ------------------------------------------------------------------------ auth
} elsif ($userinput =~ /^auth/) {
if ($wasenc==1) {