-/* +------------------------------------+
\r * | Inspire Internet Relay Chat Daemon |
\r * +------------------------------------+
\r *
\r * InspIRCd: (C) 2002-2007 InspIRCd Development Team
\r * See: http://www.inspircd.org/wiki/index.php/Credits
\r *
\r * This program is free but copyrighted software; see
\r * the file COPYING for details.
\r *
\r * ---------------------------------------------------
\r */
\r\r#include "inspircd.h"
\r#include "users.h"
\r#include "modules.h"
\r#include "dns.h"
\r#ifndef WINDOWS
\r#include <sys/socket.h>
\r#include <netinet/in.h>
\r#include <arpa/inet.h>
\r#endif
\r\r/* $ModDesc: Change user's hosts connecting from known CGI:IRC hosts */
\r\renum CGItype { PASS, IDENT, PASSFIRST, IDENTFIRST, WEBIRC };
\r\r\r/** Holds a CGI site's details
\r */
\rclass CGIhost : public classbase
\r{
\rpublic:
\r std::string hostmask;
\r CGItype type;
\r std::string password;
\r\r CGIhost(const std::string &mask = "", CGItype t = IDENTFIRST, const std::string &password ="")
\r : hostmask(mask), type(t), password(password)
\r {
\r }
\r};
\rtypedef std::vector<CGIhost> CGIHostlist;
\r\rclass cmd_webirc : public command_t
\r{
\r InspIRCd* Me;
\r CGIHostlist Hosts;
\r bool notify;
\r public:
\r cmd_webirc(InspIRCd* Me, CGIHostlist &Hosts, bool notify) : command_t(Me, "WEBIRC", 0, 4, true), Hosts(Hosts), notify(notify)
\r {
\r this->source = "m_cgiirc.so";
\r this->syntax = "password client hostname ip";
\r }
\r CmdResult Handle(const char** parameters, int pcnt, userrec *user)
\r {
\r if(user->registered == REG_ALL)
\r return CMD_FAILURE;
\r \r for(CGIHostlist::iterator iter = Hosts.begin(); iter != Hosts.end(); iter++)
\r {
\r if(ServerInstance->MatchText(user->host, iter->hostmask) || ServerInstance->MatchText(user->GetIPString(), iter->hostmask))
\r {
\r if(iter->type == WEBIRC && parameters[0] == iter->password)
\r {
\r user->Extend("cgiirc_realhost", new std::string(user->host));
\r user->Extend("cgiirc_realip", new std::string(user->GetIPString()));
\r if (notify)
\r ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from %s", user->nick, user->host, parameters[2], user->host);
\r user->Extend("cgiirc_webirc_hostname", new std::string(parameters[2]));
\r user->Extend("cgiirc_webirc_ip", new std::string(parameters[3]));
\r return CMD_LOCALONLY;
\r }
\r }
\r }
\r return CMD_FAILURE;
\r }
\r};
\r\r\r/** Resolver for CGI:IRC hostnames encoded in ident/GECOS
\r */
\rclass CGIResolver : public Resolver
\r{
\r std::string typ;
\r int theirfd;
\r userrec* them;
\r bool notify;
\r public:
\r CGIResolver(Module* me, InspIRCd* ServerInstance, bool NotifyOpers, const std::string &source, bool forward, userrec* u, int userfd, const std::string &type, bool &cached)
\r : Resolver(ServerInstance, source, forward ? DNS_QUERY_A : DNS_QUERY_PTR4, cached, me), typ(type), theirfd(userfd), them(u), notify(NotifyOpers) { }
\r\r virtual void OnLookupComplete(const std::string &result, unsigned int ttl, bool cached)
\r {
\r /* Check the user still exists */
\r if ((them) && (them == ServerInstance->SE->GetRef(theirfd)))
\r {
\r if (notify)
\r ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from %s", them->nick, them->host, result.c_str(), typ.c_str());
\r\r strlcpy(them->host, result.c_str(), 63);
\r strlcpy(them->dhost, result.c_str(), 63);
\r strlcpy(them->ident, "~cgiirc", 8);
\r them->InvalidateCache();
\r }
\r }
\r\r virtual void OnError(ResolverError e, const std::string &errormessage)
\r {
\r if ((them) && (them == ServerInstance->SE->GetRef(theirfd)))
\r {
\r if (notify)
\r ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), but their host can't be resolved from their %s!", them->nick, them->host,typ.c_str());
\r }
\r }
\r\r virtual ~CGIResolver()
\r {
\r }
\r};
\r\rclass ModuleCgiIRC : public Module
\r{
\r cmd_webirc* mycommand;
\r bool NotifyOpers;
\r CGIHostlist Hosts;
\rpublic:
\r ModuleCgiIRC(InspIRCd* Me) : Module(Me)
\r {
\r \r OnRehash(NULL,"");
\r mycommand=new cmd_webirc(Me, Hosts, NotifyOpers);
\r ServerInstance->AddCommand(mycommand);
\r }
\r\r void Implements(char* List)
\r {
\r List[I_OnRehash] = List[I_OnUserRegister] = List[I_OnCleanup] = List[I_OnSyncUserMetaData] = List[I_OnDecodeMetaData] = List[I_OnUserQuit] = List[I_OnUserConnect] = 1;
\r }
\r \r virtual Priority Prioritize()
\r {
\r // We want to get here before m_cloaking and m_hostchange etc
\r return PRIORITY_FIRST;
\r }
\r\r virtual void OnRehash(userrec* user, const std::string ¶meter)
\r {
\r ConfigReader Conf(ServerInstance);
\r \r NotifyOpers = Conf.ReadFlag("cgiirc", "opernotice", 0); // If we send an oper notice when a CGI:IRC has their host changed.
\r \r if(Conf.GetError() == CONF_VALUE_NOT_FOUND)
\r NotifyOpers = true;
\r \r for(int i = 0; i < Conf.Enumerate("cgihost"); i++)
\r {
\r std::string hostmask = Conf.ReadValue("cgihost", "mask", i); // An allowed CGI:IRC host
\r std::string type = Conf.ReadValue("cgihost", "type", i); // What type of user-munging we do on this host.
\r std::string password = Conf.ReadValue("cgihost", "password", i);
\r \r if(hostmask.length())
\r {
\r if(type == "webirc" && !password.length()) {
\r ServerInstance->Log(DEFAULT, "m_cgiirc: Missing password in config: %s", hostmask.c_str());
\r } else {
\r CGItype cgitype;
\r if(type == "pass")
\r cgitype = PASS;
\r else if(type == "ident")
\r cgitype = IDENT;
\r else if(type == "passfirst")
\r cgitype = PASSFIRST;
\r else if(type == "webirc") {
\r cgitype = WEBIRC;
\r }
\r Hosts.push_back(CGIhost(hostmask,cgitype, password.length() ? password : "" ));
\r }
\r }
\r else
\r {
\r ServerInstance->Log(DEFAULT, "m_cgiirc.so: Invalid <cgihost:mask> value in config: %s", hostmask.c_str());
\r continue;
\r }
\r }
\r }
\r\r virtual void OnCleanup(int target_type, void* item)
\r {
\r if(target_type == TYPE_USER)
\r {
\r userrec* user = (userrec*)item;
\r std::string* realhost;
\r std::string* realip;
\r \r if(user->GetExt("cgiirc_realhost", realhost))
\r {
\r delete realhost;
\r user->Shrink("cgiirc_realhost");
\r }
\r \r if(user->GetExt("cgiirc_realip", realip))
\r {
\r delete realip;
\r user->Shrink("cgiirc_realip");
\r }
\r }
\r }
\r \r virtual void OnSyncUserMetaData(userrec* user, Module* proto, void* opaque, const std::string &extname, bool displayable)
\r {
\r if((extname == "cgiirc_realhost") || (extname == "cgiirc_realip"))
\r {
\r std::string* data;
\r \r if(user->GetExt(extname, data))
\r {
\r proto->ProtoSendMetaData(opaque, TYPE_USER, user, extname, *data);
\r }
\r }
\r }
\r\r virtual void OnDecodeMetaData(int target_type, void* target, const std::string &extname, const std::string &extdata)
\r {
\r if(target_type == TYPE_USER)
\r {
\r userrec* dest = (userrec*)target;
\r std::string* bleh;
\r if(((extname == "cgiirc_realhost") || (extname == "cgiirc_realip")) && (!dest->GetExt(extname, bleh)))
\r {
\r dest->Extend(extname, new std::string(extdata));
\r }
\r }
\r }
\r\r virtual void OnUserQuit(userrec* user, const std::string &message, const std::string &oper_message)
\r {
\r OnCleanup(TYPE_USER, user);
\r }
\r \r\r virtual int OnUserRegister(userrec* user)
\r {
\r for(CGIHostlist::iterator iter = Hosts.begin(); iter != Hosts.end(); iter++)
\r {
\r if(ServerInstance->MatchText(user->host, iter->hostmask) || ServerInstance->MatchText(user->GetIPString(), iter->hostmask))
\r {
\r // Deal with it...
\r if(iter->type == PASS)
\r {
\r CheckPass(user); // We do nothing if it fails so...
\r }
\r else if(iter->type == PASSFIRST && !CheckPass(user))
\r {
\r // If the password lookup failed, try the ident
\r CheckIdent(user); // If this fails too, do nothing
\r }
\r else if(iter->type == IDENT)
\r {
\r CheckIdent(user); // Nothing on failure.
\r }
\r else if(iter->type == IDENTFIRST && !CheckIdent(user))
\r {
\r // If the ident lookup fails, try the password.
\r CheckPass(user);
\r }
\r else if(iter->type == WEBIRC)
\r {
\r // We don't need to do anything here
\r }
\r return 0;
\r }
\r }
\r return 0;
\r }
\r\r virtual void OnUserConnect(userrec* user)
\r {
\r std::string *webirc_hostname, *webirc_ip;
\r if(user->GetExt("cgiirc_webirc_hostname", webirc_hostname))
\r {
\r strlcpy(user->host,webirc_hostname->c_str(),63);
\r strlcpy(user->dhost,webirc_hostname->c_str(),63);
\r delete webirc_hostname;
\r user->InvalidateCache();
\r user->Shrink("cgiirc_webirc_hostname");
\r }
\r if(user->GetExt("cgiirc_webirc_ip", webirc_ip))
\r {
\r bool valid=false;
\r user->RemoveCloneCounts();
\r#ifdef IPV6
\r valid = (inet_pton(AF_INET6, webirc_ip->c_str(), &((sockaddr_in6*)user->ip)->sin6_addr) > 0);
\r\r if(!valid)
\r valid = (inet_aton(webirc_ip->c_str(), &((sockaddr_in*)user->ip)->sin_addr));
\r#else
\r if (inet_aton(webirc_ip->c_str(), &((sockaddr_in*)user->ip)->sin_addr))
\r valid = true;
\r#endif
\r\r delete webirc_ip;
\r user->InvalidateCache();
\r user->Shrink("cgiirc_webirc_ip");
\r ServerInstance->AddLocalClone(user);
\r ServerInstance->AddGlobalClone(user);
\r user->CheckClass();
\r }
\r }
\r\r bool CheckPass(userrec* user)
\r {
\r if(IsValidHost(user->password))
\r {
\r user->Extend("cgiirc_realhost", new std::string(user->host));
\r user->Extend("cgiirc_realip", new std::string(user->GetIPString()));
\r strlcpy(user->host, user->password, 64);
\r strlcpy(user->dhost, user->password, 64);
\r user->InvalidateCache();
\r\r bool valid = false;
\r user->RemoveCloneCounts();
\r#ifdef IPV6
\r if (user->GetProtocolFamily() == AF_INET6)
\r valid = (inet_pton(AF_INET6, user->password, &((sockaddr_in6*)user->ip)->sin6_addr) > 0);
\r else
\r valid = (inet_aton(user->password, &((sockaddr_in*)user->ip)->sin_addr));
\r#else
\r if (inet_aton(user->password, &((sockaddr_in*)user->ip)->sin_addr))
\r valid = true;
\r#endif
\r ServerInstance->AddLocalClone(user);
\r ServerInstance->AddGlobalClone(user);
\r user->CheckClass();
\r\r if (valid)
\r {
\r /* We were given a IP in the password, we don't do DNS so they get this is as their host as well. */
\r if(NotifyOpers)
\r ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from PASS", user->nick, user->host, user->password);
\r }
\r else
\r {
\r /* We got as resolved hostname in the password. */
\r try
\r {
\r\r bool cached;
\r CGIResolver* r = new CGIResolver(this, ServerInstance, NotifyOpers, user->password, false, user, user->GetFd(), "PASS", cached);
\r ServerInstance->AddResolver(r, cached);
\r }
\r catch (...)
\r {
\r if (NotifyOpers)
\r ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), but i could not resolve their hostname!", user->nick, user->host);
\r }
\r }
\r \r *user->password = 0;
\r\r /*if(NotifyOpers)
\r ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from PASS", user->nick, user->host, user->password);*/
\r\r return true;
\r }
\r \r return false;
\r }
\r \r bool CheckIdent(userrec* user)
\r {
\r int ip[4];
\r char* ident;
\r char newip[16];
\r int len = strlen(user->ident);
\r \r if(len == 8)
\r ident = user->ident;
\r else if(len == 9 && *user->ident == '~')
\r ident = user->ident+1;
\r else
\r return false;
\r \r for(int i = 0; i < 4; i++)
\r if(!HexToInt(ip[i], ident + i*2))
\r return false;
\r\r snprintf(newip, 16, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
\r \r user->Extend("cgiirc_realhost", new std::string(user->host));
\r user->Extend("cgiirc_realip", new std::string(user->GetIPString()));
\r user->RemoveCloneCounts();
\r#ifdef IPV6
\r if (user->GetProtocolFamily() == AF_INET6)
\r inet_pton(AF_INET6, newip, &((sockaddr_in6*)user->ip)->sin6_addr);
\r else
\r#endif
\r inet_aton(newip, &((sockaddr_in*)user->ip)->sin_addr);
\r ServerInstance->AddLocalClone(user);
\r ServerInstance->AddGlobalClone(user);
\r user->CheckClass();
\r try
\r {
\r strlcpy(user->host, newip, 16);
\r strlcpy(user->dhost, newip, 16);
\r strlcpy(user->ident, "~cgiirc", 8);
\r\r bool cached;
\r CGIResolver* r = new CGIResolver(this, ServerInstance, NotifyOpers, newip, false, user, user->GetFd(), "IDENT", cached);
\r ServerInstance->AddResolver(r, cached);
\r }
\r catch (...)
\r {
\r strlcpy(user->host, newip, 16);
\r strlcpy(user->dhost, newip, 16);
\r strlcpy(user->ident, "~cgiirc", 8);
\r user->InvalidateCache();
\r\r if(NotifyOpers)
\r ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), but i could not resolve their hostname!", user->nick, user->host);
\r }
\r /*strlcpy(user->host, newip, 16);
\r strlcpy(user->dhost, newip, 16);
\r strlcpy(user->ident, "~cgiirc", 8);*/
\r\r return true;
\r }
\r \r bool IsValidHost(const std::string &host)
\r {
\r if(!host.size())
\r return false;
\r \r for(unsigned int i = 0; i < host.size(); i++)
\r {
\r if( ((host[i] >= '0') && (host[i] <= '9')) ||
\r ((host[i] >= 'A') && (host[i] <= 'Z')) ||
\r ((host[i] >= 'a') && (host[i] <= 'z')) ||
\r ((host[i] == '-') && (i > 0) && (i+1 < host.size()) && (host[i-1] != '.') && (host[i+1] != '.')) ||
\r ((host[i] == '.') && (i > 0) && (i+1 < host.size())) )
\r \r continue;
\r else
\r return false;
\r }
\r \r return true;
\r }
\r\r bool IsValidIP(const std::string &ip)
\r {
\r if(ip.size() < 7 || ip.size() > 15)
\r return false;
\r \r short sincedot = 0;
\r short dots = 0;
\r \r for(unsigned int i = 0; i < ip.size(); i++)
\r {
\r if((dots <= 3) && (sincedot <= 3))
\r {
\r if((ip[i] >= '0') && (ip[i] <= '9'))
\r {
\r sincedot++;
\r }
\r else if(ip[i] == '.')
\r {
\r sincedot = 0;
\r dots++;
\r }
\r }
\r else
\r {
\r return false;
\r \r }
\r }
\r \r if(dots != 3)
\r return false;
\r \r return true;
\r }
\r \r bool HexToInt(int &out, const char* in)
\r {
\r char ip[3];
\r ip[0] = in[0];
\r ip[1] = in[1];
\r ip[2] = 0;
\r out = strtol(ip, NULL, 16);
\r \r if(out > 255 || out < 0)
\r return false;
\r\r return true;
\r }
\r \r virtual ~ModuleCgiIRC()
\r {
\r }
\r \r virtual Version GetVersion()
\r {
\r return Version(1,1,0,0,VF_VENDOR,API_VERSION);
\r }
\r \r};
\r\rMODULE_INIT(ModuleCgiIRC)
\r\ No newline at end of file
+/*
+ * InspIRCd -- Internet Relay Chat Daemon
+ *
+ * Copyright (C) 2019 linuxdaemon <linuxdaemon.irc@gmail.com>
+ * Copyright (C) 2014 md_5 <git@md-5.net>
+ * Copyright (C) 2014 Googolplexed <googol@googolplexed.net>
+ * Copyright (C) 2013, 2017-2018, 2020 Sadie Powell <sadie@witchery.services>
+ * Copyright (C) 2013 Adam <Adam@anope.org>
+ * Copyright (C) 2012-2013, 2015 Attila Molnar <attilamolnar@hush.com>
+ * Copyright (C) 2012, 2019 Robby <robby@chatbelgie.be>
+ * Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
+ * Copyright (C) 2009 Uli Schlachter <psychon@inspircd.org>
+ * Copyright (C) 2007-2009 Robin Burchell <robin+git@viroteck.net>
+ * Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
+ * Copyright (C) 2006-2007, 2010 Craig Edwards <brain@inspircd.org>
+ *
+ * This file is part of InspIRCd. InspIRCd is free software: you can
+ * redistribute it and/or modify it under the terms of the GNU General Public
+ * License as published by the Free Software Foundation, version 2.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+#include "inspircd.h"
+#include "modules/ssl.h"
+#include "modules/webirc.h"
+#include "modules/whois.h"
+
+enum
+{
+ // InspIRCd-specific.
+ RPL_WHOISGATEWAY = 350
+};
+
+// Encapsulates information about an ident host.
+class IdentHost
+{
+ private:
+ std::string hostmask;
+ std::string newident;
+
+ public:
+ IdentHost(const std::string& mask, const std::string& ident)
+ : hostmask(mask)
+ , newident(ident)
+ {
+ }
+
+ const std::string& GetIdent() const
+ {
+ return newident;
+ }
+
+ bool Matches(LocalUser* user) const
+ {
+ if (!InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map))
+ return false;
+
+ return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map);
+ }
+};
+
+// Encapsulates information about a WebIRC host.
+class WebIRCHost
+{
+ private:
+ std::string hostmask;
+ std::string fingerprint;
+ std::string password;
+ std::string passhash;
+
+ public:
+ WebIRCHost(const std::string& mask, const std::string& fp, const std::string& pass, const std::string& hash)
+ : hostmask(mask)
+ , fingerprint(fp)
+ , password(pass)
+ , passhash(hash)
+ {
+ }
+
+ bool Matches(LocalUser* user, const std::string& pass, UserCertificateAPI& sslapi) const
+ {
+ // Did the user send a valid password?
+ if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash))
+ return false;
+
+ // Does the user have a valid fingerprint?
+ const std::string fp = sslapi ? sslapi->GetFingerprint(user) : "";
+ if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint))
+ return false;
+
+ // Does the user's hostname match our hostmask?
+ if (InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map))
+ return true;
+
+ // Does the user's IP address match our hostmask?
+ return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map);
+ }
+};
+
+/*
+ * WEBIRC
+ * This is used for the webirc method of CGIIRC auth, and is (really) the best way to do these things.
+ * Syntax: WEBIRC password gateway hostname ip
+ * Where password is a shared key, gateway is the name of the WebIRC gateway and version (e.g. cgiirc), hostname
+ * is the resolved host of the client issuing the command and IP is the real IP of the client.
+ *
+ * How it works:
+ * To tie in with the rest of cgiirc module, and to avoid race conditions, /webirc is only processed locally
+ * and simply sets metadata on the user, which is later decoded on full connect to give something meaningful.
+ */
+class CommandWebIRC : public SplitCommand
+{
+ public:
+ std::vector<WebIRCHost> hosts;
+ bool notify;
+ StringExtItem gateway;
+ StringExtItem realhost;
+ StringExtItem realip;
+ UserCertificateAPI sslapi;
+ Events::ModuleEventProvider webircevprov;
+
+ CommandWebIRC(Module* Creator)
+ : SplitCommand(Creator, "WEBIRC", 4)
+ , gateway("cgiirc_gateway", ExtensionItem::EXT_USER, Creator)
+ , realhost("cgiirc_realhost", ExtensionItem::EXT_USER, Creator)
+ , realip("cgiirc_realip", ExtensionItem::EXT_USER, Creator)
+ , sslapi(Creator)
+ , webircevprov(Creator, "event/webirc")
+ {
+ allow_empty_last_param = false;
+ works_before_reg = true;
+ this->syntax = "<password> <gateway> <hostname> <ip> [<flags>]";
+ }
+
+ CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE
+ {
+ if (user->registered == REG_ALL || realhost.get(user))
+ return CMD_FAILURE;
+
+ for (std::vector<WebIRCHost>::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter)
+ {
+ // If we don't match the host then skip to the next host.
+ if (!iter->Matches(user, parameters[0], sslapi))
+ continue;
+
+ irc::sockets::sockaddrs ipaddr;
+ if (!irc::sockets::aptosa(parameters[3], user->client_sa.port(), ipaddr))
+ {
+ WriteLog("Connecting user %s (%s) tried to use WEBIRC but gave an invalid IP address.",
+ user->uuid.c_str(), user->GetIPString().c_str());
+ ServerInstance->Users->QuitUser(user, "WEBIRC: IP address is invalid: " + parameters[3]);
+ return CMD_FAILURE;
+ }
+
+ // The user matched a WebIRC block!
+ gateway.set(user, parameters[1]);
+ realhost.set(user, user->GetRealHost());
+ realip.set(user, user->GetIPString());
+
+ WriteLog("Connecting user %s is using a WebIRC gateway; changing their IP from %s to %s.",
+ user->uuid.c_str(), user->GetIPString().c_str(), parameters[3].c_str());
+
+ // If we have custom flags then deal with them.
+ WebIRC::FlagMap flags;
+ const bool hasflags = (parameters.size() > 4);
+ if (hasflags)
+ {
+ // Parse the flags.
+ irc::spacesepstream flagstream(parameters[4]);
+ for (std::string flag; flagstream.GetToken(flag); )
+ {
+ // Does this flag have a value?
+ const size_t separator = flag.find('=');
+ if (separator == std::string::npos)
+ {
+ flags[flag];
+ continue;
+ }
+
+ // The flag has a value!
+ const std::string key = flag.substr(0, separator);
+ const std::string value = flag.substr(separator + 1);
+ flags[key] = value;
+ }
+ }
+
+ // Inform modules about the WebIRC attempt.
+ FOREACH_MOD_CUSTOM(webircevprov, WebIRC::EventListener, OnWebIRCAuth, (user, (hasflags ? &flags : NULL)));
+
+ // Set the IP address sent via WEBIRC. We ignore the hostname and lookup
+ // instead do our own DNS lookups because of unreliable gateways.
+ user->SetClientIP(ipaddr);
+ return CMD_SUCCESS;
+ }
+
+ WriteLog("Connecting user %s (%s) tried to use WEBIRC but didn't match any configured WebIRC hosts.",
+ user->uuid.c_str(), user->GetIPString().c_str());
+ ServerInstance->Users->QuitUser(user, "WEBIRC: you don't match any configured WebIRC hosts.");
+ return CMD_FAILURE;
+ }
+
+ void WriteLog(const char* message, ...) CUSTOM_PRINTF(2, 3)
+ {
+ std::string buffer;
+ VAFORMAT(buffer, message, message);
+
+ // If we are sending a snotice then the message will already be
+ // written to the logfile.
+ if (notify)
+ ServerInstance->SNO->WriteGlobalSno('w', buffer);
+ else
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, buffer);
+ }
+};
+
+class ModuleCgiIRC
+ : public Module
+ , public WebIRC::EventListener
+ , public Whois::EventListener
+{
+ private:
+ CommandWebIRC cmd;
+ std::vector<IdentHost> hosts;
+
+ static bool ParseIdent(LocalUser* user, irc::sockets::sockaddrs& out)
+ {
+ const char* ident = NULL;
+ if (user->ident.length() == 8)
+ {
+ // The ident is an IPv4 address encoded in hexadecimal with two characters
+ // per address segment.
+ ident = user->ident.c_str();
+ }
+ else if (user->ident.length() == 9 && user->ident[0] == '~')
+ {
+ // The same as above but m_ident got to this user before we did. Strip the
+ // ident prefix and continue as normal.
+ ident = user->ident.c_str() + 1;
+ }
+ else
+ {
+ // The user either does not have an IPv4 in their ident or the gateway server
+ // is also running an identd. In the latter case there isn't really a lot we
+ // can do so we just assume that the client in question is not connecting via
+ // an ident gateway.
+ return false;
+ }
+
+ // Try to convert the IP address to a string. If this fails then the user
+ // does not have an IPv4 address in their ident.
+ errno = 0;
+ unsigned long address = strtoul(ident, NULL, 16);
+ if (errno)
+ return false;
+
+ out.in4.sin_family = AF_INET;
+ out.in4.sin_addr.s_addr = htonl(address);
+ return true;
+ }
+
+ public:
+ ModuleCgiIRC()
+ : WebIRC::EventListener(this)
+ , Whois::EventListener(this)
+ , cmd(this)
+ {
+ }
+
+ void init() CXX11_OVERRIDE
+ {
+ ServerInstance->SNO->EnableSnomask('w', "CGIIRC");
+ }
+
+ void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
+ {
+ std::vector<IdentHost> identhosts;
+ std::vector<WebIRCHost> webirchosts;
+
+ ConfigTagList tags = ServerInstance->Config->ConfTags("cgihost");
+ for (ConfigIter i = tags.first; i != tags.second; ++i)
+ {
+ ConfigTag* tag = i->second;
+
+ // Ensure that we have the <cgihost:mask> parameter.
+ const std::string mask = tag->getString("mask");
+ if (mask.empty())
+ throw ModuleException("<cgihost:mask> is a mandatory field, at " + tag->getTagLocation());
+
+ // Determine what lookup type this host uses.
+ const std::string type = tag->getString("type");
+ if (stdalgo::string::equalsci(type, "ident"))
+ {
+ // The IP address should be looked up from the hex IP address.
+ const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent);
+ identhosts.push_back(IdentHost(mask, newident));
+ }
+ else if (stdalgo::string::equalsci(type, "webirc"))
+ {
+ // The IP address will be received via the WEBIRC command.
+ const std::string fingerprint = tag->getString("fingerprint");
+ const std::string password = tag->getString("password");
+ const std::string passwordhash = tag->getString("hash", "plaintext", 1);
+
+ // WebIRC blocks require a password.
+ if (fingerprint.empty() && password.empty())
+ throw ModuleException("When using <cgihost type=\"webirc\"> either the fingerprint or password field is required, at " + tag->getTagLocation());
+
+ if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext"))
+ {
+ ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "<cgihost> tag at %s contains an plain text password, this is insecure!",
+ tag->getTagLocation().c_str());
+ }
+
+ webirchosts.push_back(WebIRCHost(mask, fingerprint, password, passwordhash));
+ }
+ else
+ {
+ throw ModuleException(type + " is an invalid <cgihost:mask> type, at " + tag->getTagLocation());
+ }
+ }
+
+ // The host configuration was valid so we can apply it.
+ hosts.swap(identhosts);
+ cmd.hosts.swap(webirchosts);
+
+ // Do we send an oper notice when a m_cgiirc client has their IP changed?
+ cmd.notify = ServerInstance->Config->ConfValue("cgiirc")->getBool("opernotice", true);
+ }
+
+ ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE
+ {
+ // If <connect:webirc> is not set then we have nothing to do.
+ const std::string webirc = myclass->config->getString("webirc");
+ if (webirc.empty())
+ return MOD_RES_PASSTHRU;
+
+ // If the user is not connecting via a WebIRC gateway then they
+ // cannot match this connect class.
+ const std::string* gateway = cmd.gateway.get(user);
+ if (!gateway)
+ {
+ ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires a connection via a WebIRC gateway",
+ myclass->GetName().c_str());
+ return MOD_RES_DENY;
+ }
+
+ // If the gateway matches the <connect:webirc> constraint then
+ // allow the check to continue. Otherwise, reject it.
+ if (!InspIRCd::Match(*gateway, webirc))
+ {
+ ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s",
+ myclass->GetName().c_str(), gateway->c_str(), webirc.c_str());
+ return MOD_RES_DENY;
+ }
+
+ return MOD_RES_PASSTHRU;
+ }
+
+ ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE
+ {
+ // There is no need to check for gateways if one is already being used.
+ if (cmd.realhost.get(user))
+ return MOD_RES_PASSTHRU;
+
+ for (std::vector<IdentHost>::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter)
+ {
+ // If we don't match the host then skip to the next host.
+ if (!iter->Matches(user))
+ continue;
+
+ // We have matched an <cgihost> block! Try to parse the encoded IPv4 address
+ // out of the ident.
+ irc::sockets::sockaddrs address(user->client_sa);
+ if (!ParseIdent(user, address))
+ return MOD_RES_PASSTHRU;
+
+ // Store the hostname and IP of the gateway for later use.
+ cmd.realhost.set(user, user->GetRealHost());
+ cmd.realip.set(user, user->GetIPString());
+
+ const std::string& newident = iter->GetIdent();
+ cmd.WriteLog("Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.",
+ user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str());
+
+ user->ChangeIdent(newident);
+ user->SetClientIP(address);
+ break;
+ }
+ return MOD_RES_PASSTHRU;
+ }
+
+ void OnWebIRCAuth(LocalUser* user, const WebIRC::FlagMap* flags) CXX11_OVERRIDE
+ {
+ // We are only interested in connection flags. If none have been
+ // given then we have nothing to do.
+ if (!flags)
+ return;
+
+ WebIRC::FlagMap::const_iterator cport = flags->find("remote-port");
+ if (cport != flags->end())
+ {
+ // If we can't parse the port then just give up.
+ uint16_t port = ConvToNum<uint16_t>(cport->second);
+ if (port)
+ {
+ switch (user->client_sa.family())
+ {
+ case AF_INET:
+ user->client_sa.in4.sin_port = htons(port);
+ break;
+
+ case AF_INET6:
+ user->client_sa.in6.sin6_port = htons(port);
+ break;
+
+ default:
+ // If we have reached this point then we have encountered a bug.
+ ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!",
+ user->uuid.c_str(), user->client_sa.family());
+ return;
+ }
+ }
+ }
+
+ WebIRC::FlagMap::const_iterator sport = flags->find("local-port");
+ if (sport != flags->end())
+ {
+ // If we can't parse the port then just give up.
+ uint16_t port = ConvToNum<uint16_t>(sport->second);
+ if (port)
+ {
+ switch (user->server_sa.family())
+ {
+ case AF_INET:
+ user->server_sa.in4.sin_port = htons(port);
+ break;
+
+ case AF_INET6:
+ user->server_sa.in6.sin6_port = htons(port);
+ break;
+
+ default:
+ // If we have reached this point then we have encountered a bug.
+ ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!",
+ user->uuid.c_str(), user->server_sa.family());
+ return;
+ }
+ }
+ }
+ }
+
+ void OnWhois(Whois::Context& whois) CXX11_OVERRIDE
+ {
+ if (!whois.IsSelfWhois() && !whois.GetSource()->HasPrivPermission("users/auspex"))
+ return;
+
+ // If these fields are not set then the client is not using a gateway.
+ const std::string* realhost = cmd.realhost.get(whois.GetTarget());
+ const std::string* realip = cmd.realip.get(whois.GetTarget());
+ if (!realhost || !realip)
+ return;
+
+ const std::string* gateway = cmd.gateway.get(whois.GetTarget());
+ if (gateway)
+ whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via the " + *gateway + " WebIRC gateway");
+ else
+ whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via an ident gateway");
+ }
+
+ Version GetVersion() CXX11_OVERRIDE
+ {
+ return Version("Adds the ability for IRC gateways to forward the real IP address of users connecting through them.", VF_VENDOR);
+ }
+};
+
+MODULE_INIT(ModuleCgiIRC)
projects / user / henk / code / inspircd.git / blobdiff