make it configurable which authentication modules can be used for the admin course

Author: Alex-Jordan

conf/authen_CAS.conf.dist

@@ -12,6 +12,24 @@ $authen{user_module} = {
   "*" => "WeBWorK::Authen::CAS",
 };
 
+# List of authentication modules that may be used to enter the admin course.
+# This should be a non-empty sublist of whatever is in $authen{user_module}.
+# Since the admin course provides overall power to add/delete courses, access
+# to this course should be protected by the best possible authentication you
+# have available to you.  The current default is
+# WeBWorK::Authen::Basic_TheLastOption which is simple password based
+# authentication for a password locally stored in your WeBWorK server's
+# database.  On one hand, this is necessary as the initial setting, as it is the
+# only option available when a new server is being installed.  However, since
+# this option does not make use of multi-factor authentication or provide any
+# capabilities to prevent dictionary attacks, etc.  At the very least you should
+# use a very strong password.  If you have the option to use a more secure
+# authentication approach to the admin course (one which you are confident
+# cannot be spoofed) that is preferable.
+$authen{admin_module} = [
+	'WeBWorK::Authen::CAS'
+];
+
 $authen{cas_options} = {
 	# Options to pass to the AuthCAS module.
 	# Note that this is (plain) AuthCAS, not Apache::AuthCAS

conf/authen_LTI.conf.dist

@@ -45,6 +45,26 @@ $authen{user_module} = [
 	{ '*' => 'WeBWorK::Authen::Basic_TheLastOption' }    # fallback authorization method
 ];
 
+# List of authentication modules that may be used to enter the admin course.
+# This should be a non-empty sublist of whatever is in $authen{user_module}.
+# Since the admin course provides overall power to add/delete courses, access
+# to this course should be protected by the best possible authentication you
+# have available to you.  The current default is
+# WeBWorK::Authen::Basic_TheLastOption which is simple password based
+# authentication for a password locally stored in your WeBWorK server's
+# database.  On one hand, this is necessary as the initial setting, as it is the
+# only option available when a new server is being installed.  However, since
+# this option does not make use of multi-factor authentication or provide any
+# capabilities to prevent dictionary attacks, etc.  At the very least you should
+# use a very strong password.  If you have the option to use a more secure
+# authentication approach to the admin course (one which you are confident
+# cannot be spoofed) that is preferable.
+$authen{admin_module} = [
+	'WeBWorK::Authen::LTIAdvantage',
+	'WeBWorK::Authen::LTIAdvanced',
+	'WeBWorK::Authen::Basic_TheLastOption'
+];
+
 # Include configurations.  You must uncomment at least one of the following. You may uncomment
 # both if the site may be using both LTI 1.1 and 1.3 in different courses. After uncommenting
 # the LTI_1_x line, you must copy the file authen_LTI_1_x.conf.dist to authen_LTI_1_x.conf and

conf/authen_ldap.conf.dist

@@ -12,6 +12,24 @@ $authen{user_module} = {
 	"*" => "WeBWorK::Authen::LDAP",
 };
 
+# List of authentication modules that may be used to enter the admin course.
+# This should be a non-empty sublist of whatever is in $authen{user_module}.
+# Since the admin course provides overall power to add/delete courses, access
+# to this course should be protected by the best possible authentication you
+# have available to you.  The current default is
+# WeBWorK::Authen::Basic_TheLastOption which is simple password based
+# authentication for a password locally stored in your WeBWorK server's
+# database.  On one hand, this is necessary as the initial setting, as it is the
+# only option available when a new server is being installed.  However, since
+# this option does not make use of multi-factor authentication or provide any
+# capabilities to prevent dictionary attacks, etc.  At the very least you should
+# use a very strong password.  If you have the option to use a more secure
+# authentication approach to the admin course (one which you are confident
+# cannot be spoofed) that is preferable.
+$authen{admin_module} = [
+	'WeBWorK::Authen::LDAP'
+];
+
 $authen{ldap_options} = {
 	# hosts to attempt to connect to, in order. For example:
 	#   auth.myschool.edu             -- uses LDAP scheme and port 389

conf/defaults.config

@@ -698,28 +698,29 @@ $modelCoursesForCopy = [ "modelCourse" ];
 # Select the authentication module to use for normal logins.
 #
 # If this value is a string, the given authentication module will be used
-# regardless of the database layout. If it is a hash, the database layout name
-# will be looked up in the hash and the resulting value will be used as the
-# authentication module. The special hash key "*" is used if no entry for the
-# current database layout is found.
-# If this value is a sequence of strings or hashes, then each
-# string or hash in the sequence will be successively tested to see if it
-# provides a module that can handle
-# the authentication request (by calling the module's
-#   sub  request_has_data_for_this_verification_module ).
-# The first module that responds affirmatively will be used.
+# regardless of the database layout.
 #
+# If it is a hash, the database layout name will be looked up in the hash and
+# the resulting value will be used as the authentication module.  The special
+# hash key "*" is used if no entry for the current database layout is found.
 #
-$authen{user_module} = {
-	# sql_moodle => "WeBWorK::Authen::Moodle",
-	# sql_ldap   => "WeBWorK::Authen::LDAP",
-	"*" => "WeBWorK::Authen::Basic_TheLastOption",
-};
+# If this value is a sequence of strings or hashes, then each string or hash in
+# the sequence will be successively tested to see if it provides a module that
+# can handle the authentication request by calling the module's sub
+# request_has_data_for_this_verification_module().  The first module that
+# responds affirmatively will be used.
+
+$authen{user_module} = {"*" => "WeBWorK::Authen::Basic_TheLastOption"};
 
 # Select the authentication module to use for proctor logins.
 # A string or a hash is accepted, as above.
 $authen{proctor_module} = "WeBWorK::Authen::Proctor";
 
+# List of authentication modules that may be used to enter the admin course.
+# This should always be an array reference with a subset of the modules named
+# in $authen{user_module}.
+$authen{admin_module} = ['WeBWorK::Authen::Basic_TheLastOption'];
+
 ################################################################################
 # Authorization system (Make local overrides in localOverrides.conf )
 ################################################################################

conf/localOverrides.conf.dist

@@ -438,12 +438,57 @@ $mail{feedbackRecipients}    = [
 # END_PREAMBLE
 
 ################################################################################
-# Authentication Methods
+# Authentication
 ################################################################################
 
 # Extra modules have been created to allow WeBWorK to use certain external
 # methods of authentication.
 
+# Select the authentication module to use for normal logins.
+#
+# If this value is a string, the given authentication module will be used
+# regardless of the database layout.
+#
+# If it is a hash, the database layout name will be looked up in the hash and
+# the resulting value will be used as the authentication module.  The special
+# hash key "*" is used if no entry for the current database layout is found.
+#
+# If this value is a sequence of strings or hashes, then each string or hash in
+# the sequence will be successively tested to see if it provides a module that
+# can handle the authentication request by calling the module's sub
+# request_has_data_for_this_verification_module().  The first module that
+# responds affirmatively will be used.
+
+#$authen{user_module} = {
+#	sql_moodle => "WeBWorK::Authen::Moodle",
+#	sql_ldap   => "WeBWorK::Authen::LDAP"
+#	"*"        => "WeBWorK::Authen::Basic_TheLastOption"
+#};
+
+# Select the authentication module to use for proctor logins.
+# A string or a hash is accepted, as above.
+#$authen{proctor_module} = "WeBWorK::Authen::Proctor";
+
+# List of authentication modules that may be used to enter the admin course.
+# This should be a non-empty sublist of whatever is in $authen{user_module}.
+# Since the admin course provides overall power to add/delete courses, access
+# to this course should be protected by the best possible authentication you
+# have available to you.  The current default is
+# WeBWorK::Authen::Basic_TheLastOption which is simple password based
+# authentication for a password locally stored in your WeBWorK server's
+# database.  On one hand, this is necessary as the initial setting, as it is the
+# only option available when a new server is being installed.  However, since
+# this option does not make use of multi-factor authentication or provide any
+# capabilities to prevent dictionary attacks, etc.  At the very least you should
+# use a very strong password.  If you have the option to use a more secure
+# authentication approach to the admin course (one which you are confident
+# cannot be spoofed) that is preferable.
+#$authen{admin_module} = [
+#	'WeBWorK::Authen::Moodle',
+#	'WeBWorK::Authen::LDAP',
+#	'WeBWorK::Authen::Basic_TheLastOption'
+#];
+
 ################################################################################
 # IMS LTI Authentication
 ################################################################################

lib/WeBWorK/Authen.pm

@@ -189,8 +189,9 @@ sub verify {
 		return ($self->call_next_authen_method());
 	}
 
-	if ($c->ce->{courseName} eq 'admin' && ref($c->authen) =~ /LTI/) {
-		$c->stash(authen_error => maketext('Cannot authenticate into admin course using LTI authentication.'));
+	my $authen_ref = ref($c->authen);
+	if ($c->ce->{courseName} eq 'admin' && !(grep(/^$authen_ref$/, @{ $c->ce->{authen}{admin_module} }))) {
+		$c->stash(authen_error => maketext("Cannot authenticate into admin course using $authen_ref."));
 		return ($self->call_next_authen_method());
 	}