2 * InspIRCd -- Internet Relay Chat Daemon
4 * Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
5 * Copyright (C) 2007-2008 John Brooks <john.brooks@dereferenced.net>
6 * Copyright (C) 2008 Pippijn van Steenhoven <pip88nl@gmail.com>
7 * Copyright (C) 2006-2008 Craig Edwards <craigedwards@brainbox.cc>
8 * Copyright (C) 2007 Robin Burchell <robin+git@viroteck.net>
9 * Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
10 * Copyright (C) 2006 Oliver Lupton <oliverlupton@gmail.com>
12 * This file is part of InspIRCd. InspIRCd is free software: you can
13 * redistribute it and/or modify it under the terms of the GNU General Public
14 * License as published by the Free Software Foundation, version 2.
16 * This program is distributed in the hope that it will be useful, but WITHOUT
17 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
18 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
21 * You should have received a copy of the GNU General Public License
22 * along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "modules/ssl.h"
28 #include "modules/whois.h"
33 RPL_WHOISGATEWAY = 350
36 // We need this method up here so that it can be accessed from anywhere
37 static void ChangeIP(LocalUser* user, const irc::sockets::sockaddrs& sa)
39 // Set the users IP address and make sure they are in the right clone pool.
40 ServerInstance->Users->RemoveCloneCounts(user);
41 user->SetClientIP(sa);
42 ServerInstance->Users->AddClone(user);
46 // Recheck the connect class.
53 // Check if this user matches any XLines.
54 user->CheckLines(true);
59 // Encapsulates information about an ident host.
67 IdentHost(const std::string& mask, const std::string& ident)
73 const std::string& GetIdent() const
78 bool Matches(LocalUser* user) const
80 if (!InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map))
83 return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map);
87 // Encapsulates information about a WebIRC host.
92 std::string fingerprint;
97 WebIRCHost(const std::string& mask, const std::string& fp, const std::string& pass, const std::string& hash)
105 bool Matches(LocalUser* user, const std::string& pass) const
107 // Did the user send a valid password?
108 if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash))
111 // Does the user have a valid fingerprint?
112 const std::string fp = SSLClientCert::GetFingerprint(&user->eh);
113 if (!fingerprint.empty() && fp != fingerprint)
116 // Does the user's hostname match our hostmask?
117 if (InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map))
120 // Does the user's IP address match our hostmask?
121 return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map);
127 * This is used for the webirc method of CGIIRC auth, and is (really) the best way to do these things.
128 * Syntax: WEBIRC password gateway hostname ip
129 * Where password is a shared key, gateway is the name of the WebIRC gateway and version (e.g. cgiirc), hostname
130 * is the resolved host of the client issuing the command and IP is the real IP of the client.
133 * To tie in with the rest of cgiirc module, and to avoid race conditions, /webirc is only processed locally
134 * and simply sets metadata on the user, which is later decoded on full connect to give something meaningful.
136 class CommandWebIRC : public SplitCommand
139 std::vector<WebIRCHost> hosts;
141 StringExtItem gateway;
142 StringExtItem realhost;
143 StringExtItem realip;
145 CommandWebIRC(Module* Creator)
146 : SplitCommand(Creator, "WEBIRC", 4)
147 , gateway("cgiirc_gateway", ExtensionItem::EXT_USER, Creator)
148 , realhost("cgiirc_realhost", ExtensionItem::EXT_USER, Creator)
149 , realip("cgiirc_realip", ExtensionItem::EXT_USER, Creator)
151 allow_empty_last_param = false;
152 works_before_reg = true;
153 this->syntax = "password gateway hostname ip";
156 CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE
158 if (user->registered == REG_ALL || realhost.get(user))
161 irc::sockets::sockaddrs ipaddr;
162 if (!irc::sockets::aptosa(parameters[3], user->client_sa.port(), ipaddr))
164 user->CommandFloodPenalty += 5000;
165 WriteLog("Connecting user %s (%s) tried to use WEBIRC but gave an invalid IP address.",
166 user->uuid.c_str(), user->GetIPString().c_str());
170 for (std::vector<WebIRCHost>::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter)
172 // If we don't match the host then skip to the next host.
173 if (!iter->Matches(user, parameters[0]))
176 // The user matched a WebIRC block!
177 gateway.set(user, parameters[1]);
178 realhost.set(user, user->GetRealHost());
179 realip.set(user, user->GetIPString());
181 WriteLog("Connecting user %s is using a WebIRC gateway; changing their IP from %s to %s.",
182 user->uuid.c_str(), user->GetIPString().c_str(), parameters[3].c_str());
184 // Set the IP address sent via WEBIRC. We ignore the hostname and lookup
185 // instead do our own DNS lookups because of unreliable gateways.
186 ChangeIP(user, ipaddr);
190 user->CommandFloodPenalty += 5000;
191 WriteLog("Connecting user %s (%s) tried to use WEBIRC but didn't match any configured WebIRC hosts.",
192 user->uuid.c_str(), user->GetIPString().c_str());
196 void WriteLog(const char* message, ...) CUSTOM_PRINTF(2, 3)
199 VAFORMAT(buffer, message, message);
201 // If we are sending a snotice then the message will already be
202 // written to the logfile.
204 ServerInstance->SNO->WriteGlobalSno('w', buffer);
206 ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, buffer);
210 class ModuleCgiIRC : public Module, public Whois::EventListener
214 std::vector<IdentHost> hosts;
216 static bool ParseIdent(LocalUser* user, irc::sockets::sockaddrs& out)
218 const char* ident = NULL;
219 if (user->ident.length() == 8)
221 // The ident is an IPv4 address encoded in hexadecimal with two characters
222 // per address segment.
223 ident = user->ident.c_str();
225 else if (user->ident.length() == 9 && user->ident[0] == '~')
227 // The same as above but m_ident got to this user before we did. Strip the
228 // ident prefix and continue as normal.
229 ident = user->ident.c_str() + 1;
233 // The user either does not have an IPv4 in their ident or the gateway server
234 // is also running an identd. In the latter case there isn't really a lot we
235 // can do so we just assume that the client in question is not connecting via
240 // Try to convert the IP address to a string. If this fails then the user
241 // does not have an IPv4 address in their ident.
243 unsigned long address = strtoul(ident, NULL, 16);
247 out.in4.sin_family = AF_INET;
248 out.in4.sin_addr.s_addr = htonl(address);
254 : Whois::EventListener(this)
259 void init() CXX11_OVERRIDE
261 ServerInstance->SNO->EnableSnomask('w', "CGIIRC");
264 void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
266 std::vector<IdentHost> identhosts;
267 std::vector<WebIRCHost> webirchosts;
269 ConfigTagList tags = ServerInstance->Config->ConfTags("cgihost");
270 for (ConfigIter i = tags.first; i != tags.second; ++i)
272 ConfigTag* tag = i->second;
274 // Ensure that we have the <cgihost:mask> parameter.
275 const std::string mask = tag->getString("mask");
277 throw ModuleException("<cgihost:mask> is a mandatory field, at " + tag->getTagLocation());
279 // Determine what lookup type this host uses.
280 const std::string type = tag->getString("type");
281 if (stdalgo::string::equalsci(type, "ident"))
283 // The IP address should be looked up from the hex IP address.
284 const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent);
285 identhosts.push_back(IdentHost(mask, newident));
287 else if (stdalgo::string::equalsci(type, "webirc"))
289 // The IP address will be received via the WEBIRC command.
290 const std::string fingerprint = tag->getString("fingerprint");
291 const std::string password = tag->getString("password");
293 // WebIRC blocks require a password.
294 if (fingerprint.empty() && password.empty())
295 throw ModuleException("When using <cgihost type=\"webirc\"> either the fingerprint or password field is required, at " + tag->getTagLocation());
297 webirchosts.push_back(WebIRCHost(mask, fingerprint, password, tag->getString("hash")));
301 throw ModuleException(type + " is an invalid <cgihost:mask> type, at " + tag->getTagLocation());
305 // The host configuration was valid so we can apply it.
306 hosts.swap(identhosts);
307 cmd.hosts.swap(webirchosts);
309 // Do we send an oper notice when a m_cgiirc client has their IP changed?
310 cmd.notify = ServerInstance->Config->ConfValue("cgiirc")->getBool("opernotice", true);
313 ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE
315 // If <connect:webirc> is not set then we have nothing to do.
316 const std::string webirc = myclass->config->getString("webirc");
318 return MOD_RES_PASSTHRU;
320 // If the user is not connecting via a WebIRC gateway then they
321 // cannot match this connect class.
322 const std::string* gateway = cmd.gateway.get(user);
326 // If the gateway matches the <connect:webirc> constraint then
327 // allow the check to continue. Otherwise, reject it.
328 return InspIRCd::Match(*gateway, webirc) ? MOD_RES_PASSTHRU : MOD_RES_DENY;
331 ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE
333 // There is no need to check for gateways if one is already being used.
334 if (cmd.realhost.get(user))
335 return MOD_RES_PASSTHRU;
337 for (std::vector<IdentHost>::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter)
339 // If we don't match the host then skip to the next host.
340 if (!iter->Matches(user))
343 // We have matched an <cgihost> block! Try to parse the encoded IPv4 address
345 irc::sockets::sockaddrs address(user->client_sa);
346 if (!ParseIdent(user, address))
347 return MOD_RES_PASSTHRU;
349 // Store the hostname and IP of the gateway for later use.
350 cmd.realhost.set(user, user->GetRealHost());
351 cmd.realip.set(user, user->GetIPString());
353 const std::string& newident = iter->GetIdent();
354 cmd.WriteLog("Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.",
355 user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str());
357 user->ChangeIdent(newident);
358 ChangeIP(user, address);
361 return MOD_RES_PASSTHRU;
364 void OnWhois(Whois::Context& whois) CXX11_OVERRIDE
366 if (!whois.IsSelfWhois() && !whois.GetSource()->HasPrivPermission("users/auspex"))
369 // If these fields are not set then the client is not using a gateway.
370 const std::string* realhost = cmd.realhost.get(whois.GetTarget());
371 const std::string* realip = cmd.realip.get(whois.GetTarget());
372 if (!realhost || !realip)
375 const std::string* gateway = cmd.gateway.get(whois.GetTarget());
377 whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via the " + *gateway + " WebIRC gateway");
379 whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via an ident gateway");
382 Version GetVersion() CXX11_OVERRIDE
384 return Version("Enables forwarding the real IP address of a user from a gateway to the IRC server", VF_VENDOR);
388 MODULE_INIT(ModuleCgiIRC)