src/modules/m_httpd_acl.cpp

   1 /*
   2  * InspIRCd -- Internet Relay Chat Daemon
   3  *
   4  *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
   5  *   Copyright (C) 2008 Craig Edwards <craigedwards@brainbox.cc>
   6  *
   7  * This file is part of InspIRCd.  InspIRCd is free software: you can
   8  * redistribute it and/or modify it under the terms of the GNU General Public
   9  * License as published by the Free Software Foundation, version 2.
  10  *
  11  * This program is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  13  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  14  * details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20
  21 #include "inspircd.h"
  22 #include "httpd.h"
  23 #include "protocol.h"
  24
  25 /* $ModDesc: Provides access control lists (passwording of resources, ip restrictions etc) to m_httpd.so dependent modules */
  26
  27 class HTTPACL
  28 {
  29  public:
  30         std::string path;
  31         std::string username;
  32         std::string password;
  33         std::string whitelist;
  34         std::string blacklist;
  35
  36         HTTPACL(const std::string &set_path, const std::string &set_username, const std::string &set_password,
  37                 const std::string &set_whitelist, const std::string &set_blacklist)
  38                 : path(set_path), username(set_username), password(set_password), whitelist(set_whitelist),
  39                 blacklist(set_blacklist) { }
  40
  41         ~HTTPACL() { }
  42 };
  43
  44 class ModuleHTTPAccessList : public Module
  45 {
  46
  47         std::string stylesheet;
  48         bool changed;
  49         std::vector<HTTPACL> acl_list;
  50
  51  public:
  52
  53         void ReadConfig()
  54         {
  55                 acl_list.clear();
  56                 ConfigTagList acls = ServerInstance->Config->ConfTags("httpdacl");
  57                 for (ConfigIter i = acls.first; i != acls.second; i++)
  58                 {
  59                         ConfigTag* c = i->second;
  60                         std::string path = c->getString("path");
  61                         std::string types = c->getString("types");
  62                         irc::commasepstream sep(types);
  63                         std::string type;
  64                         std::string username;
  65                         std::string password;
  66                         std::string whitelist;
  67                         std::string blacklist;
  68
  69                         while (sep.GetToken(type))
  70                         {
  71                                 if (type == "password")
  72                                 {
  73                                         username = c->getString("username");
  74                                         password = c->getString("password");
  75                                 }
  76                                 else if (type == "whitelist")
  77                                 {
  78                                         whitelist = c->getString("whitelist");
  79                                 }
  80                                 else if (type == "blacklist")
  81                                 {
  82                                         blacklist = c->getString("blacklist");
  83                                 }
  84                                 else
  85                                 {
  86                                         throw ModuleException("Invalid HTTP ACL type '" + type + "'");
  87                                 }
  88                         }
  89
  90                         ServerInstance->Logs->Log("m_httpd_acl", DEBUG, "Read ACL: path=%s pass=%s whitelist=%s blacklist=%s", path.c_str(),
  91                                         password.c_str(), whitelist.c_str(), blacklist.c_str());
  92
  93                         acl_list.push_back(HTTPACL(path, username, password, whitelist, blacklist));
  94                 }
  95         }
  96
  97         void init()
  98         {
  99                 ReadConfig();
 100                 Implementation eventlist[] = { I_OnEvent };
 101                 ServerInstance->Modules->Attach(eventlist, this, sizeof(eventlist)/sizeof(Implementation));
 102         }
 103
 104         void BlockAccess(HTTPRequest* http, int returnval, const std::string &extraheaderkey = "", const std::string &extraheaderval="")
 105         {
 106                 ServerInstance->Logs->Log("m_httpd_acl", DEBUG, "BlockAccess (%d)", returnval);
 107
 108                 std::stringstream data("Access to this resource is denied by an access control list. Please contact your IRC administrator.");
 109                 HTTPDocumentResponse response(this, *http, &data, returnval);
 110                 response.headers.SetHeader("X-Powered-By", "m_httpd_acl.so");
 111                 if (!extraheaderkey.empty())
 112                         response.headers.SetHeader(extraheaderkey, extraheaderval);
 113                 response.Send();
 114         }
 115
 116         void OnEvent(Event& event)
 117         {
 118                 if (event.id == "httpd_acl")
 119                 {
 120                         ServerInstance->Logs->Log("m_http_stats", DEBUG,"Handling httpd acl event");
 121                         HTTPRequest* http = (HTTPRequest*)&event;
 122
 123                         for (std::vector<HTTPACL>::const_iterator this_acl = acl_list.begin(); this_acl != acl_list.end(); ++this_acl)
 124                         {
 125                                 if (InspIRCd::Match(http->GetURI(), this_acl->path, ascii_case_insensitive_map))
 126                                 {
 127                                         if (!this_acl->blacklist.empty())
 128                                         {
 129                                                 /* Blacklist */
 130                                                 irc::commasepstream sep(this_acl->blacklist);
 131                                                 std::string entry;
 132
 133                                                 while (sep.GetToken(entry))
 134                                                 {
 135                                                         if (InspIRCd::Match(http->GetIP(), entry, ascii_case_insensitive_map))
 136                                                         {
 137                                                                 ServerInstance->Logs->Log("m_httpd_acl", DEBUG, "Denying access to blacklisted resource %s (matched by pattern %s) from ip %s (matched by entry %s)",
 138                                                                                 http->GetURI().c_str(), this_acl->path.c_str(), http->GetIP().c_str(), entry.c_str());
 139                                                                 BlockAccess(http, 403);
 140                                                                 return;
 141                                                         }
 142                                                 }
 143                                         }
 144                                         if (!this_acl->whitelist.empty())
 145                                         {
 146                                                 /* Whitelist */
 147                                                 irc::commasepstream sep(this_acl->whitelist);
 148                                                 std::string entry;
 149                                                 bool allow_access = false;
 150
 151                                                 while (sep.GetToken(entry))
 152                                                 {
 153                                                         if (InspIRCd::Match(http->GetIP(), entry, ascii_case_insensitive_map))
 154                                                                 allow_access = true;
 155                                                 }
 156
 157                                                 if (!allow_access)
 158                                                 {
 159                                                         ServerInstance->Logs->Log("m_httpd_acl", DEBUG, "Denying access to whitelisted resource %s (matched by pattern %s) from ip %s (Not in whitelist)",
 160                                                                         http->GetURI().c_str(), this_acl->path.c_str(), http->GetIP().c_str());
 161                                                         BlockAccess(http, 403);
 162                                                         return;
 163                                                 }
 164                                         }
 165                                         if (!this_acl->password.empty() && !this_acl->username.empty())
 166                                         {
 167                                                 /* Password auth, first look to see if we have a basic authentication header */
 168                                                 ServerInstance->Logs->Log("m_httpd_acl", DEBUG, "Checking HTTP auth password for resource %s (matched by pattern %s) from ip %s, against username %s",
 169                                                                 http->GetURI().c_str(), this_acl->path.c_str(), http->GetIP().c_str(), this_acl->username.c_str());
 170
 171                                                 if (http->headers->IsSet("Authorization"))
 172                                                 {
 173                                                         /* Password has been given, validate it */
 174                                                         std::string authorization = http->headers->GetHeader("Authorization");
 175                                                         irc::spacesepstream sep(authorization);
 176                                                         std::string authtype;
 177                                                         std::string base64;
 178
 179                                                         sep.GetToken(authtype);
 180                                                         if (authtype == "Basic")
 181                                                         {
 182                                                                 std::string user;
 183                                                                 std::string pass;
 184
 185                                                                 sep.GetToken(base64);
 186                                                                 std::string userpass = Base64ToBin(base64);
 187                                                                 ServerInstance->Logs->Log("m_httpd_acl", DEBUG, "HTTP authorization: %s (%s)", userpass.c_str(), base64.c_str());
 188
 189                                                                 irc::sepstream userpasspair(userpass, ':');
 190                                                                 if (userpasspair.GetToken(user))
 191                                                                 {
 192                                                                         userpasspair.GetToken(pass);
 193
 194                                                                         /* Access granted if username and password are correct */
 195                                                                         if (user == this_acl->username && pass == this_acl->password)
 196                                                                         {
 197                                                                                 ServerInstance->Logs->Log("m_httpd_acl", DEBUG, "HTTP authorization: password and username match");
 198                                                                                 return;
 199                                                                         }
 200                                                                         else
 201                                                                                 /* Invalid password */
 202                                                                                 BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\"");
 203                                                                 }
 204                                                                 else
 205                                                                         /* Malformed user:pass pair */
 206                                                                         BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\"");
 207                                                         }
 208                                                         else
 209                                                                 /* Unsupported authentication type */
 210                                                                 BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\"");
 211                                                 }
 212                                                 else
 213                                                 {
 214                                                         /* No password given at all, access denied */
 215                                                         BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\"");
 216                                                 }
 217                                         }
 218
 219                                         /* A path may only match one ACL (the first it finds in the config file) */
 220                                         return;
 221                                 }
 222                         }
 223                 }
 224         }
 225
 226         virtual ~ModuleHTTPAccessList()
 227         {
 228         }
 229
 230         virtual Version GetVersion()
 231         {
 232                 return Version("Provides access control lists (passwording of resources, ip restrictions etc) to m_httpd.so dependent modules", VF_VENDOR);
 233         }
 234 };
 235
 236 MODULE_INIT(ModuleHTTPAccessList)