[LON-CAPA-cvs] cvs: loncom / loncapa_apache.conf /auth lonipcheck.pm /homework lonhomework.pm /publisher packages.tab doc/loncapafiles loncapafiles.lpml

raeburn lon-capa-cvs-allow@mail.lon-capa.org
Fri, 05 Sep 2008 17:43:35 -0000


This is a MIME encoded message

--raeburn1220636615
Content-Type: text/plain

raeburn		Fri Sep  5 13:43:35 2008 EDT

  Added files:                 
    /loncom/auth	lonipcheck.pm 

  Modified files:              
    /loncom	loncapa_apache.conf 
    /doc/loncapafiles	loncapafiles.lpml 
    /loncom/homework	lonhomework.pm 
    /loncom/publisher	packages.tab 
  Log:
  Bug 5777
  - IP-based access control extending to encompass additional resources (i.e., HTML files, Bulletin Boards, External Resources, Simpe Pages), beyond existing support for problem/exam/survey files.
  - New lonipcheck.pm added as a chained content handler, called after londatecheck.
  - &check_ip_acc() moved form lonhomework.pm to loncommon.pm to be more widely available.       
  
  
--raeburn1220636615
Content-Type: text/plain
Content-Disposition: attachment; filename="raeburn-20080905134335.txt"

Index: loncom/loncapa_apache.conf
diff -u loncom/loncapa_apache.conf:1.177 loncom/loncapa_apache.conf:1.178
--- loncom/loncapa_apache.conf:1.177	Tue Jul  8 13:52:32 2008
+++ loncom/loncapa_apache.conf	Fri Sep  5 13:43:31 2008
@@ -1,7 +1,7 @@
 ##
 ## loncapa_apache.conf -- Apache HTTP LON-CAPA configuration file
 ##
-## $Id: loncapa_apache.conf,v 1.177 2008/07/08 17:52:32 raeburn Exp $
+## $Id: loncapa_apache.conf,v 1.178 2008/09/05 17:43:31 raeburn Exp $
 ##
 
 #
@@ -105,7 +105,8 @@
 AuthType LONCAPA
 Require valid-user
 PerlAuthzHandler	Apache::lonacc
-PerlHandler Apache::londatecheck
+PerlHandler 		Apache::londatecheck
+PerlHandler  		Apache::lonipcheck
 PerlHeaderParserHandler Apache::lonuploadrep
 ErrorDocument     403 /adm/login
 ErrorDocument     404 /adm/notfound.html
@@ -203,6 +204,7 @@
 PerlAuthzHandler	Apache::lonacc
 SetHandler              perl-script
 PerlHandler             Apache::londatecheck
+PerlHandler		Apache::lonipcheck
 PerlHandler             Apache::lonsimplepage
 ErrorDocument     404 /adm/notfound.html
 ErrorDocument     406 /adm/notinit.html
@@ -215,6 +217,7 @@
 PerlAuthzHandler	Apache::lonacc
 SetHandler              perl-script
 PerlHandler             Apache::londatecheck
+PerlHandler		Apache::lonipcheck
 PerlHandler             Apache::lonbulletin
 ErrorDocument     404 /adm/notfound.html
 ErrorDocument     406 /adm/notinit.html
@@ -372,6 +375,7 @@
 <LocationMatch "^/+(uploaded|res|\~).*\.(xml|html|htm|xhtml|xhtm|sty)$">
 SetHandler perl-script
 PerlHandler Apache::londatecheck
+PerlHandler Apache::lonipcheck
 PerlHandler Apache::lonxml
 </LocationMatch>
 
@@ -385,6 +389,7 @@
 Require valid-user
 PerlAuthzHandler       Apache::lonacc
 PerlHandler Apache::londatecheck
+PerlHandler Apache::lonipcheck
 SetHandler perl-script
 PerlHandler Apache::lonwrapper
 ErrorDocument     403 /adm/login
Index: doc/loncapafiles/loncapafiles.lpml
diff -u doc/loncapafiles/loncapafiles.lpml:1.609 doc/loncapafiles/loncapafiles.lpml:1.610
--- doc/loncapafiles/loncapafiles.lpml:1.609	Thu Sep  4 09:57:09 2008
+++ doc/loncapafiles/loncapafiles.lpml	Fri Sep  5 13:43:32 2008
@@ -2,7 +2,7 @@
  "http://lpml.sourceforge.net/DTD/lpml.dtd">
 <!-- loncapafiles.lpml -->
 
-<!-- $Id: loncapafiles.lpml,v 1.609 2008/09/04 13:57:09 riegler Exp $ -->
+<!-- $Id: loncapafiles.lpml,v 1.610 2008/09/05 17:43:32 raeburn Exp $ -->
 
 <!--
 
@@ -5010,6 +5010,13 @@
 <status>works/unverified</status>
 </file>
 <file>
+<source>loncom/auth/lonipcheck.pm</source>
+<target dist='default'>home/httpd/lib/perl/Apache/lonipcheck.pm</target>
+<categoryname>handler</categoryname>
+<description>Checks IP-based access control settings - disable subsequent PerlHandlers if client's IP is blocked</description>
+<status>works/unverified</status>
+</file>
+<file>
 <source>loncom/auth/londatecheck.pm</source>
 <target dist='default'>home/httpd/lib/perl/Apache/londatecheck.pm</target>
 <categoryname>handler</categoryname>
Index: loncom/homework/lonhomework.pm
diff -u loncom/homework/lonhomework.pm:1.296 loncom/homework/lonhomework.pm:1.297
--- loncom/homework/lonhomework.pm:1.296	Mon Jul 28 01:26:00 2008
+++ loncom/homework/lonhomework.pm	Fri Sep  5 13:43:32 2008
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # The LON-CAPA Homework handler
 #
-# $Id: lonhomework.pm,v 1.296 2008/07/28 05:26:00 raeburn Exp $
+# $Id: lonhomework.pm,v 1.297 2008/09/05 17:43:32 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -209,58 +209,6 @@
     return 0;
 }
 
-sub check_ip_acc {
-    my ($acc)=@_;
-    &Apache::lonxml::debug("acc is $acc");
-    if (!defined($acc) || $acc =~ /^\s*$/ || $acc =~/^\s*no\s*$/i) { 
-	return 1;
-    }
-    my $allowed=0;
-    my $ip=$env{'request.host'} || $ENV{'REMOTE_ADDR'};
-
-    my $name;
-    foreach my $pattern (split(',',$acc)) {
-	$pattern =~ s/^\s*//;
-	$pattern =~ s/\s*$//;
-	if ($pattern =~ /\*$/) {
-	    #35.8.*
-	    $pattern=~s/\*//;
-	    if ($ip =~ /^\Q$pattern\E/) { $allowed=1; }
-	} elsif ($pattern =~ /(\d+\.\d+\.\d+)\.\[(\d+)-(\d+)\]$/) {    
-	    #35.8.3.[34-56]
-	    my $low=$2;
-	    my $high=$3;
-	    $pattern=$1;
-	    if ($ip =~ /^\Q$pattern\E/) { 
-		my $last=(split(/\./,$ip))[3];
-		if ($last <=$high && $last >=$low) { $allowed=1; }
-	    }
-	} elsif ($pattern =~ /^\*/) {
-	    #*.msu.edu
-	    $pattern=~s/\*//;
-	    if (!defined($name)) {
-		use Socket;
-		my $netaddr=inet_aton($ip);
-		($name)=gethostbyaddr($netaddr,AF_INET);
-	    }
-	    if ($name =~ /\Q$pattern\E$/i) { $allowed=1; }
-	} elsif ($pattern =~ /\d+\.\d+\.\d+\.\d+/) {
-	    #127.0.0.1
-	    if ($ip =~ /^\Q$pattern\E/) { $allowed=1; }
-	} else {
-	    #some.name.com
-	    if (!defined($name)) {
-		use Socket;
-		my $netaddr=inet_aton($ip);
-		($name)=gethostbyaddr($netaddr,AF_INET);
-	    }
-	    if ($name =~ /\Q$pattern\E$/i) { $allowed=1; }
-	}
-	if ($allowed) { last; }
-    }
-    return $allowed;
-}
-
 sub check_slot_access {
     my ($id,$type)=@_;
 
@@ -307,7 +255,7 @@
 	&Apache::lonhomework::showhash(%slot);
 	if ($slot{'starttime'} < time &&
 	    $slot{'endtime'} > time &&
-	    &check_ip_acc($slot{'ip'})) {
+	    &Apache::loncommon::check_ip_acc($slot{'ip'})) {
 	    &Apache::lonxml::debug("$slot is good");
 	    $slotstatus='NEEDS_CHECKIN';
 	    $returned_slot=\%slot;
@@ -421,7 +369,7 @@
     #if ($env{'request.state'} ne "construct" && $symb ne '') {
     if ($env{'request.state'} ne "construct") {
         my $idacc = &Apache::lonnet::EXT("resource.$id.acc");
-	my $allowed=&check_ip_acc($idacc);
+	my $allowed=&Apache::loncommon::check_ip_acc($idacc);
 	if (!$allowed && ($Apache::lonhomework::browse ne 'F')) {
 	    $status='INVALID_ACCESS';
 	    $date=&mt("can not be accessed from your location.");
Index: loncom/publisher/packages.tab
diff -u loncom/publisher/packages.tab:1.54 loncom/publisher/packages.tab:1.55
--- loncom/publisher/packages.tab:1.54	Sat Dec  1 14:57:15 2007
+++ loncom/publisher/packages.tab	Fri Sep  5 13:43:33 2008
@@ -144,6 +144,8 @@
 default&hiddenresource&type:string_yesno
 default&buttonshide&display:Hide buttons from students
 default&buttonshide&type:string_yesno
+default&acc&display:Client IP/Name Access Control
+default&acc&type:string_ip
 #default&hiddenresource&hidden:parm
 
 #bridge tasks

Index: loncom/auth/lonipcheck.pm
+++ loncom/auth/lonipcheck.pm
# Checks IP access settings - disable subsequent PerlHandlers if client IP blocked
# $Id: lonipcheck.pm,v 1.1 2008/09/05 17:43:31 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#

use strict;
package Apache::lonipcheck;
use Apache::lonnet;
use Apache::lonlocal;
use Apache::loncommon();
use Apache::Constants qw(:common :http :methods);

sub ip_access_check {
    my $symb=$env{'request.symb'};
    if ($env{'request.state'} ne "construct") {
        my $idacc = &Apache::lonnet::EXT('resource.0.acc',$symb);
        my $allowed=&Apache::loncommon::check_ip_acc($idacc);
        if (!$allowed) {
            return('INVALID_ACCESS',
                   '<h1>'.&mt('Not open to be viewed').'</h1>'.
                   &mt("This resource can not be accessed from your location."));

        }
    }
    return ('OPEN');
}

sub handler {
    my ($r)=@_;
    if (&Apache::lonnet::allowed('bre',$r->uri) eq 'F') {
	return DECLINED;
    }
    my ($status,$msg)=&ip_access_check();
    if ($status ne 'OPEN') {
	$r->set_handlers('PerlHandler'=>undef);
	&Apache::loncommon::content_type($r,'text/html');
	$r->send_http_header;
	return OK if $r->header_only;
	my $start_page =
	    &Apache::loncommon::start_page('Not Open',undef,
					   {'bgcolor'        => '#FFFFFF',
					    'force_register' => 1,});
	my $end_page = &Apache::loncommon::end_page();
	$r->print($start_page.$msg.$end_page);

	return OK;
    }
    return DECLINED;
}
1;

--raeburn1220636615--