[LON-CAPA-cvs] cvs: loncom /auth lonacc.pm lonauth.pm lonlogin.pm migrateuser.pm switchserver.pm /interface domainprefs.pm loncommon.pm
raeburn
raeburn at source.lon-capa.org
Sat Sep 28 20:49:29 EDT 2013
raeburn Sun Sep 29 00:49:29 2013 EDT
Modified files:
/loncom/auth lonacc.pm lonauth.pm lonlogin.pm migrateuser.pm
switchserver.pm
/loncom/interface loncommon.pm domainprefs.pm
Log:
- Bug 6675
- Case where $env{'REMOTE_ADDR'} as reported to server selected to host
user session, is different from $env{'REMOTE_ADDR'} as reported to
server which handled original authentication request.
- Domain configuration for a load balancing server can be set to one of
the following, if an IP mismatch is detected by /adm/migrateuser
during credentials checking after redirect via /adm/switchserver
(i) Session will be hosted on Load Balancer
(ii) Session will be hosted on offload server
for each of (a) SSO users from load balancer's domain, (b) non-SSO users
- Setting to host on load balancer will be ignored if switch server was called
by an author or co-author switching to server housing the authoring space.
-------------- next part --------------
Index: loncom/auth/lonacc.pm
diff -u loncom/auth/lonacc.pm:1.144 loncom/auth/lonacc.pm:1.145
--- loncom/auth/lonacc.pm:1.144 Fri May 10 17:49:17 2013
+++ loncom/auth/lonacc.pm Sun Sep 29 00:49:24 2013
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Cookie Based Access Handler
#
-# $Id: lonacc.pm,v 1.144 2013/05/10 17:49:17 raeburn Exp $
+# $Id: lonacc.pm,v 1.145 2013/09/29 00:49:24 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -287,7 +287,7 @@
my $query = $r->args;
my %form;
if ($query) {
- my @items = ('role','symb');
+ my @items = ('role','symb','iptoken');
&Apache::loncommon::get_unprocessed_cgi($query,\@items);
foreach my $item (@items) {
if (defined($env{'form.'.$item})) {
@@ -296,6 +296,12 @@
}
}
+ my %sessiondata;
+ if ($form{'iptoken'}) {
+ %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
+ my $delete = &Apache::lonnet::tmpdel($form{'token'});
+ }
+
my $domain = $r->dir_config('lonSSOUserDomain');
if ($domain eq '') {
$domain = $r->dir_config('lonDefDomain');
@@ -303,8 +309,18 @@
my $home=&Apache::lonnet::homeserver($user,$domain);
if ($home !~ /(con_lost|no_host|no_such_host)/) {
&Apache::lonnet::logthis(" SSO authorized user $user ");
- my ($is_balancer,$otherserver) =
- &Apache::lonnet::check_loadbalancing($user,$domain);
+ my ($is_balancer,$otherserver,$hosthere);
+ if ($form{'iptoken'}) {
+ if (($sessiondata{'domain'} eq $form{'udom'}) &&
+ ($sessiondata{'username'} eq $form{'uname'})) {
+ $hosthere = 1;
+ }
+ }
+ unless ($hosthere) {
+ ($is_balancer,$otherserver) =
+ &Apache::lonnet::check_loadbalancing($user,$domain);
+ }
+
if ($is_balancer) {
# login but immediately go to switch server to find us a new
# machine
@@ -477,6 +493,9 @@
$checkexempt = 1;
}
}
+ if ($env{'user.noloadbalance'} eq $r->dir_config('lonHostID')) {
+ $checkexempt = 1;
+ }
unless ($checkexempt) {
($is_balancer,$otherserver) =
&Apache::lonnet::check_loadbalancing($env{'user.name'},
Index: loncom/auth/lonauth.pm
diff -u loncom/auth/lonauth.pm:1.126 loncom/auth/lonauth.pm:1.127
--- loncom/auth/lonauth.pm:1.126 Wed Aug 21 16:15:44 2013
+++ loncom/auth/lonauth.pm Sun Sep 29 00:49:24 2013
@@ -1,7 +1,7 @@
# The LearningOnline Network
# User Authentication Module
#
-# $Id: lonauth.pm,v 1.126 2013/08/21 16:15:44 bisitz Exp $
+# $Id: lonauth.pm,v 1.127 2013/09/29 00:49:24 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -259,7 +259,7 @@
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
$form{$name}=$value;
- }
+ }
if ((!$form{'uname'}) || (!$form{'upass0'}) || (!$form{'udom'})) {
&failed($r,'Username, password and domain need to be specified.',
@@ -284,6 +284,12 @@
my $tmpinfo=Apache::lonnet::reply('tmpget:'.$form{'logtoken'},
$form{'serverid'});
+ my %sessiondata;
+ if ($form{'iptoken'}) {
+ %sessiondata = &Apache::lonnet::tmpget($form{'iptoken'});
+ my $delete = &Apache::lonnet::tmpdel($form{'token'});
+ }
+
if (($tmpinfo=~/^error/) || ($tmpinfo eq 'con_lost') ||
($tmpinfo eq 'no_such_host')) {
&failed($r,'Information needed to verify your login information is missing, inaccessible or expired.',\%form);
@@ -396,6 +402,15 @@
($firsturl=~/^\/adm\/(logout|remote)/)) {
$firsturl='/adm/roles';
}
+
+ my $hosthere;
+ if ($form{'iptoken'}) {
+ if (($sessiondata{'domain'} eq $form{'udom'}) &&
+ ($sessiondata{'username'} eq $form{'uname'})) {
+ $hosthere = 1;
+ }
+ }
+
# --------------------------------- Are we attempting to login as somebody else?
if ($form{'suname'}) {
# ------------ see if the original user has enough privileges to pull this stunt
@@ -419,8 +434,12 @@
}
}
- my ($is_balancer,$otherserver) =
- &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'});
+ my ($is_balancer,$otherserver);
+
+ unless ($hosthere) {
+ ($is_balancer,$otherserver) =
+ &Apache::lonnet::check_loadbalancing($form{'uname'},$form{'udom'});
+ }
if ($is_balancer) {
if (!$otherserver) {
Index: loncom/auth/lonlogin.pm
diff -u loncom/auth/lonlogin.pm:1.156 loncom/auth/lonlogin.pm:1.157
--- loncom/auth/lonlogin.pm:1.156 Fri Sep 13 21:28:18 2013
+++ loncom/auth/lonlogin.pm Sun Sep 29 00:49:24 2013
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Login Screen
#
-# $Id: lonlogin.pm,v 1.156 2013/09/13 21:28:18 raeburn Exp $
+# $Id: lonlogin.pm,v 1.157 2013/09/29 00:49:24 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -46,7 +46,7 @@
(join('&',$ENV{'QUERY_STRING'},$env{'request.querystring'},
$ENV{'REDIRECT_QUERY_STRING'}),
['interface','username','domain','firsturl','localpath','localres',
- 'token','role','symb']);
+ 'token','role','symb','iptoken']);
if (!defined($env{'form.firsturl'})) {
&Apache::lonacc::get_posted_cgi($r,['firsturl']);
}
@@ -103,11 +103,18 @@
# ---------------------------------------------------- No valid token, continue
- # ---------------------------- Not possible to really login to domain "public"
+# ---------------------------- Not possible to really login to domain "public"
if ($env{'form.domain'} eq 'public') {
$env{'form.domain'}='';
$env{'form.username'}='';
}
+
+# ------ Is this page requested because /adm/migrateuser detected an IP change?
+ my %sessiondata;
+ if ($env{'form.iptoken'}) {
+ %sessiondata = &Apache::lonnet::tmpget($env{'form.iptoken'});
+ my $delete = &Apache::lonnet::tmpdel($env{'form.token'});
+ }
# ----------------------------------------------------------- Process Interface
$env{'form.interface'}=~s/\W//g;
@@ -120,17 +127,23 @@
my $lonhost = $r->dir_config('lonHostID');
my $domain = &Apache::lonnet::default_login_domain();
if ($lonhost ne '') {
- my $redirect = &check_loginvia($domain,$lonhost);
- if ($redirect) {
- $r->print($redirect);
- return OK;
- }
+ unless ($sessiondata{'sessionserver'}) {
+ my $redirect = &check_loginvia($domain,$lonhost);
+ if ($redirect) {
+ $r->print($redirect);
+ return OK;
+ }
+ }
}
- if (($env{'form.domain'}) &&
+ if (($sessiondata{'domain'}) &&
+ (&Apache::lonnet::domain($env{'form.domain'},'description'))) {
+ $domain=$sessiondata{'domain'};
+ } elsif (($env{'form.domain'}) &&
(&Apache::lonnet::domain($env{'form.domain'},'description'))) {
$domain=$env{'form.domain'};
}
+
my $role = $r->dir_config('lonRole');
my $loadlim = $r->dir_config('lonLoadLim');
my $uloadlim= $r->dir_config('lonUserLoadLim');
@@ -142,9 +155,18 @@
my $host_name = &Apache::lonnet::hostname($lonhost);
# --------------------------------------------- Default values for login fields
-
- my $authusername=($env{'form.username'}?$env{'form.username'}:'');
- my $authdomain=($env{'form.domain'}?$env{'form.domain'}:$domain);
+
+ my ($authusername,$authdomain);
+ if ($sessiondata{'username'}) {
+ $authusername=$sessiondata{'username'};
+ } else {
+ $authusername=($env{'form.username'}?$env{'form.username'}:'');
+ }
+ if ($sessiondata{'domain'}) {
+ $authdomain=$sessiondata{'domain'};
+ } else {
+ $authdomain=($env{'form.domain'}?$env{'form.domain'}:$domain);
+ }
# ---------------------------------------------------------- Determine own load
my $loadavg;
Index: loncom/auth/migrateuser.pm
diff -u loncom/auth/migrateuser.pm:1.17 loncom/auth/migrateuser.pm:1.18
--- loncom/auth/migrateuser.pm:1.17 Thu Jun 6 12:39:06 2013
+++ loncom/auth/migrateuser.pm Sun Sep 29 00:49:24 2013
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Starts a user off based of an existing token.
#
-# $Id: migrateuser.pm,v 1.17 2013/06/06 12:39:06 raeburn Exp $
+# $Id: migrateuser.pm,v 1.18 2013/09/29 00:49:24 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -34,6 +34,7 @@
use Apache::lonauth;
use Apache::lonnet;
use Apache::lonlocal;
+use Apache::lonlogin();
sub goto_login {
my ($r) = @_;
@@ -52,16 +53,126 @@
sub sso_check {
my ($data) = @_;
my %extra_env;
- if ($data->{'sso.login'}) {
- $extra_env{'request.sso.login'} = $data->{'sso.login'};
- }
- if ($data->{'sso.reloginserver'}) {
- $extra_env{'request.sso.reloginserver'} =
- $data->{'sso.reloginserver'};
+ if (ref($data) eq 'HASH') {
+ if ($data->{'sso.login'}) {
+ $extra_env{'request.sso.login'} = $data->{'sso.login'};
+ }
+ if ($data->{'sso.reloginserver'}) {
+ $extra_env{'request.sso.reloginserver'} =
+ $data->{'sso.reloginserver'};
+ }
}
return \%extra_env;
}
+sub ip_changed {
+ my ($r,$udom,$camefrom,$dataref) = @_;
+ &Apache::loncommon::content_type($r,'text/html');
+ $r->send_http_header;
+ if (ref($dataref) eq 'HASH') {
+ my $title = 'LON-CAPA Session redirected';
+ my $message = &mt('Your internet address has changed since you logged in.');
+ my $camefrom = &Apache::lonnet::hostname($dataref->{'server'});
+ my $frombalancer = $dataref->{'balancer'};
+ my $rule_in_effect;
+ if ($frombalancer) {
+ my $balancerdom = &Apache::lonnet::host_domain($dataref->{'server'});
+ my ($result,$cached)=&Apache::lonnet::is_cached_new('loadbalancing',$balancerdom);
+ unless (defined($cached)) {
+ my $cachetime = 60*60*24;
+ my %domconfig =
+ &Apache::lonnet::get_dom('configuration',['loadbalancing'],$balancerdom);
+ if (ref($domconfig{'loadbalancing'}) eq 'HASH') {
+ $result = &Apache::lonnet::do_cache_new('loadbalancing',$balancerdom,
+ $domconfig{'loadbalancing'},$cachetime);
+ }
+ }
+ if (ref($result) eq 'HASH') {
+ (undef,my $currtargets,my $currrules) =
+ &Apache::lonnet::check_balancer_result($result,$dataref->{'server'});
+ if (ref($currrules) eq 'HASH') {
+ if ($dataref->{'sso.login'}) {
+ if ($currrules->{'_LC_ipchangesso'} ne '') {
+ $rule_in_effect = $currrules->{'_LC_ipchangesso'};
+ }
+ } else {
+ if ($currrules->{'_LC_ipchange'} ne '') {
+ $rule_in_effect = $currrules->{'_LC_ipchange'};
+ }
+ }
+ }
+ }
+ }
+ my $url;
+ my $lonhost= $r->dir_config('lonHostID');
+ my $switchto = $lonhost;
+ if ($rule_in_effect eq 'balancer') {
+ my $hosthere;
+ if ($dataref->{'role'}) {
+ my ($adom,$aname);
+ if ($dataref->{'role'} =~ m{^au\./($match_domain)/$}) {
+ $adom = $1;
+ $aname = $dataref->{'username'};
+ } elsif ($dataref->{'role'} =~ m{^(?:ca|aa)\./($match_domain)/($match_username)$}) {
+ $adom = $1;
+ $aname = $2;
+ }
+ if ($adom ne '' && $aname ne '') {
+ my $ahome = &Apache::lonnet::homeserver($aname,$adom);
+ unless ($ahome eq 'no_host') {
+ my @ids=&Apache::lonnet::current_machine_ids();
+ if ($ahome && grep(/^\Q$ahome\E$/, at ids)) {
+ $hosthere = 1;
+ }
+ }
+ }
+ }
+ unless ($hosthere) {
+ my $hostname = &Apache::lonnet::hostname($dataref->{'server'});
+ if ($hostname) {
+ $switchto = $dataref->{'server'};
+ my $protocol = $Apache::lonnet::protocol{$switchto};
+ $protocol = 'http' if ($protocol ne 'https');
+ $url = $protocol.'://'.$hostname;
+ $message .= '<br />'.
+ &mt('As a result, your LON-CAPA session is being redirected to the server where you originally logged in.');
+ }
+ }
+ }
+ if ($dataref->{'sso.login'}) {
+ $url .= '/adm/roles?';
+ } else {
+ $url .= '/adm/login?';
+ $message .= '<br />'.&mt('You will need to provide your password one more time');
+ }
+ my %info= (
+ 'domain' => $dataref->{'domain'},
+ 'username' => $dataref->{'username'},
+ 'role' => $dataref->{'role'},
+ 'sessionserver' => $lonhost,
+ );
+ if ($dataref->{'origurl'}) {
+ $info{'origurl'} = $dataref->{'origurl'};
+ }
+ if ($dataref->{'symb'}) {
+ $info{'symb'} = $dataref->{'symb'};
+ }
+ my $iptoken = &Apache::lonnet::tmpput(\%info,$switchto);
+ unless ($iptoken eq 'conlost') {
+ $url .= 'iptoken='.$iptoken;
+ }
+ $r->print(&Apache::loncommon::start_page($title,undef,
+ {'redirect' =>
+ [2,$url],}).
+ '<h1>'.&mt('One moment please...').'</h1>'.
+ '<p class="LC_warning">'.$message.'</p>'.
+ &Apache::loncommon::end_page());
+ } else {
+ return &goto_login($r);
+ }
+ return OK;
+}
+
sub handler {
my ($r) = @_;
@@ -78,9 +189,11 @@
return &goto_login($r);
}
- if ($data{'ip'} ne $ENV{'REMOTE_ADDR'} || !defined($data{'username'}) ||
- !defined($data{'domain'}) ) {
- return &goto_login($r);
+ if (!defined($data{'username'}) || !defined($data{'domain'})) {
+ return &goto_login($r);
+ }
+ if ($data{'ip'} ne $ENV{'REMOTE_ADDR'}) {
+ return &ip_changed($r,$data{'domain'},$data{'server'},\%data);
}
&Apache::lonnet::logthis("Allowing access for $data{'username'}:$data{'domain'} to $data{'role'}");
Index: loncom/auth/switchserver.pm
diff -u loncom/auth/switchserver.pm:1.31 loncom/auth/switchserver.pm:1.32
--- loncom/auth/switchserver.pm:1.31 Tue Aug 2 14:17:13 2011
+++ loncom/auth/switchserver.pm Sun Sep 29 00:49:24 2013
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Switch Servers Handler
#
-# $Id: switchserver.pm,v 1.31 2011/08/02 14:17:13 raeburn Exp $
+# $Id: switchserver.pm,v 1.32 2013/09/29 00:49:24 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -173,11 +173,13 @@
# ---------------------------------------------------------------- Get handover
+ my ($is_balancer) = &Apache::lonnet::check_loadbalancing($env{'user.name'},$env{'user.domain'});
my %info=('ip' => $ENV{'REMOTE_ADDR'},
'domain' => $env{'user.domain'},
'username' => $env{'user.name'},
'role' => $env{'form.role'},
- 'server' => $r->dir_config('lonHostID'));
+ 'server' => $r->dir_config('lonHostID'),
+ 'balancer' => $is_balancer);
if ($env{'form.origurl'}) {
$info{'origurl'} = $env{'form.origurl'};
}
Index: loncom/interface/loncommon.pm
diff -u loncom/interface/loncommon.pm:1.1156 loncom/interface/loncommon.pm:1.1157
--- loncom/interface/loncommon.pm:1.1156 Sat Sep 21 13:56:22 2013
+++ loncom/interface/loncommon.pm Sun Sep 29 00:49:28 2013
@@ -1,7 +1,7 @@
# The LearningOnline Network with CAPA
# a pile of common routines
#
-# $Id: loncommon.pm,v 1.1156 2013/09/21 13:56:22 raeburn Exp $
+# $Id: loncommon.pm,v 1.1157 2013/09/29 00:49:28 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -14414,6 +14414,12 @@
$env{'browser.interface'}=$form->{'interface'};
}
+ if ($form->{'iptoken'}) {
+ my $lonhost = $r->dir_config('lonHostID');
+ $initial_env{"user.noloadbalance"} = $lonhost;
+ $env{'user.noloadbalance'} = $lonhost;
+ }
+
my %is_adv = ( is_adv => $env{'user.adv'} );
my %domdef;
unless ($domain eq 'public') {
Index: loncom/interface/domainprefs.pm
diff -u loncom/interface/domainprefs.pm:1.208 loncom/interface/domainprefs.pm:1.209
--- loncom/interface/domainprefs.pm:1.208 Sat Sep 21 13:49:31 2013
+++ loncom/interface/domainprefs.pm Sun Sep 29 00:49:28 2013
@@ -1,7 +1,7 @@
# The LearningOnline Network with CAPA
# Handler to set domain-wide configuration settings
#
-# $Id: domainprefs.pm,v 1.208 2013/09/21 13:49:31 raeburn Exp $
+# $Id: domainprefs.pm,v 1.209 2013/09/29 00:49:28 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -2997,7 +2997,7 @@
}
my ($othertitle,$usertypes,$types) =
&Apache::loncommon::sorted_inst_types($dom);
- my $rownum = 6;
+ my $rownum = 8;
if (ref($types) eq 'ARRAY') {
$rownum += scalar(@{$types});
}
@@ -3176,7 +3176,7 @@
if (ref($currrules) eq 'HASH') {
$current = $currrules->{$type};
}
- if (($type eq '_LC_external') || ($type eq '_LC_internetdom')) {
+ if (($type eq '_LC_external') || ($type eq '_LC_internetdom') || ($type eq '_LC_ipchange')) {
if ($dom ne &Apache::lonnet::host_domain($lonhost)) {
$current = '';
}
@@ -3197,8 +3197,10 @@
'_LC_author' => &mt('Users from [_1] with author role',$dom),
'_LC_internetdom' => &mt('Users not from [_1], but from [_2]',$dom,$intdom),
'_LC_external' => &mt('Users not from [_1]',$intdom),
+ '_LC_ipchangesso' => &mt('SSO users from [_1], with IP mismatch',$dom),
+ '_LC_ipchange' => &mt('Non-SSO users with IP mismatch'),
);
- my @alltypes = ('_LC_adv','_LC_author','_LC_internetdom','_LC_external');
+ my @alltypes = ('_LC_adv','_LC_author','_LC_internetdom','_LC_external','_LC_ipchangesso','_LC_ipchange');
if (ref($types) eq 'ARRAY') {
unshift(@alltypes,@{$types},'default');
}
@@ -3223,16 +3225,21 @@
sub loadbalance_rule_row {
my ($type,$title,$current,$servers,$currbalancer,$lonhost,$dom,
$targets_div_style,$homedom_div_style,$css_class,$balnum,$num,$islast) = @_;
- my @rulenames = ('default','homeserver');
+ my @rulenames;
my %ruletitles = &offloadtype_text();
- if ($type eq '_LC_external') {
- push(@rulenames,'externalbalancer');
+ if (($type eq '_LC_ipchangesso') || ($type eq '_LC_ipchange')) {
+ @rulenames = ('balancer','offloadedto');
} else {
- push(@rulenames,'specific');
+ @rulenames = ('default','homeserver');
+ if ($type eq '_LC_external') {
+ push(@rulenames,'externalbalancer');
+ } else {
+ push(@rulenames,'specific');
+ }
+ push(@rulenames,'none');
}
- push(@rulenames,'none');
my $style = $targets_div_style;
- if (($type eq '_LC_external') || ($type eq '_LC_internetdom')) {
+ if (($type eq '_LC_external') || ($type eq '_LC_internetdom') || ($type eq '_LC_ipchange')) {
$style = $homedom_div_style;
}
my $space;
@@ -3297,6 +3304,8 @@
'externalbalancer' => "Offloads to Load Balancer in user's domain",
'specific' => 'Offloads to specific server',
'none' => 'No offload',
+ 'balancer' => 'Session hosted on Load Balancer, after re-authentication',
+ 'offloadedto' => 'Session hosted on offload server, after re-authentication',
);
return %ruletitles;
}
@@ -8636,7 +8645,8 @@
my $balancetext;
if ($rule eq '') {
$balancetext = $ruletitles{'default'};
- } elsif (($rule eq 'homeserver') || ($rule eq 'externalbalancer')) {
+ } elsif (($rule eq 'homeserver') || ($rule eq 'externalbalancer') ||
+ ($rule eq 'balancer') || ($rule eq 'offloadedto')) {
$balancetext = $ruletitles{$rule};
} else {
$balancetext = &mt('offload to [_1]',$defaultshash{'loadbalancing'}{$balancer}{'rules'}{$type});
@@ -9369,7 +9379,6 @@
);
}
-
sub devalidate_remote_domconfs {
my ($dom) = @_;
my $primary_id = &Apache::lonnet::domain($dom,'primary');
More information about the LON-CAPA-cvs
mailing list