X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_cgiirc.cpp;h=52c24e50ad89eb815173d9abbc46b72efbbf09d2;hb=3151d60c1ecc9462e4c335282ee6c31672f45111;hp=64fd6c69fb6ee062b89bb47dc3fdf6803ec8c98f;hpb=bab14f0dd2345c9d7dcbc47c918563709e1ac094;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp index 64fd6c69f..52c24e50a 100644 --- a/src/modules/m_cgiirc.cpp +++ b/src/modules/m_cgiirc.cpp @@ -1 +1,484 @@ -/* +------------------------------------+ * | Inspire Internet Relay Chat Daemon | * +------------------------------------+ * * InspIRCd: (C) 2002-2007 InspIRCd Development Team * See: http://www.inspircd.org/wiki/index.php/Credits * * This program is free but copyrighted software; see * the file COPYING for details. * * --------------------------------------------------- */ #include "inspircd.h" #include "users.h" #include "modules.h" #include "dns.h" #ifndef WINDOWS #include #include #include #endif /* $ModDesc: Change user's hosts connecting from known CGI:IRC hosts */ enum CGItype { PASS, IDENT, PASSFIRST, IDENTFIRST, WEBIRC }; /** Holds a CGI site's details */ class CGIhost : public classbase { public: std::string hostmask; CGItype type; std::string password; CGIhost(const std::string &mask = "", CGItype t = IDENTFIRST, const std::string &password ="") : hostmask(mask), type(t), password(password) { } }; typedef std::vector CGIHostlist; class cmd_webirc : public command_t { InspIRCd* Me; CGIHostlist Hosts; bool notify; public: cmd_webirc(InspIRCd* Me, CGIHostlist &Hosts, bool notify) : command_t(Me, "WEBIRC", 0, 4, true), Hosts(Hosts), notify(notify) { this->source = "m_cgiirc.so"; this->syntax = "password client hostname ip"; } CmdResult Handle(const char** parameters, int pcnt, userrec *user) { if(user->registered == REG_ALL) return CMD_FAILURE; for(CGIHostlist::iterator iter = Hosts.begin(); iter != Hosts.end(); iter++) { if(ServerInstance->MatchText(user->host, iter->hostmask) || ServerInstance->MatchText(user->GetIPString(), iter->hostmask)) { if(iter->type == WEBIRC && parameters[0] == iter->password) { user->Extend("cgiirc_realhost", new std::string(user->host)); user->Extend("cgiirc_realip", new std::string(user->GetIPString())); if (notify) ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from %s", user->nick, user->host, parameters[2], user->host); user->Extend("cgiirc_webirc_hostname", new std::string(parameters[2])); user->Extend("cgiirc_webirc_ip", new std::string(parameters[3])); return CMD_LOCALONLY; } } } return CMD_FAILURE; } }; /** Resolver for CGI:IRC hostnames encoded in ident/GECOS */ class CGIResolver : public Resolver { std::string typ; int theirfd; userrec* them; bool notify; public: CGIResolver(Module* me, InspIRCd* ServerInstance, bool NotifyOpers, const std::string &source, bool forward, userrec* u, int userfd, const std::string &type, bool &cached) : Resolver(ServerInstance, source, forward ? DNS_QUERY_A : DNS_QUERY_PTR4, cached, me), typ(type), theirfd(userfd), them(u), notify(NotifyOpers) { } virtual void OnLookupComplete(const std::string &result, unsigned int ttl, bool cached) { /* Check the user still exists */ if ((them) && (them == ServerInstance->SE->GetRef(theirfd))) { if (notify) ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from %s", them->nick, them->host, result.c_str(), typ.c_str()); strlcpy(them->host, result.c_str(), 63); strlcpy(them->dhost, result.c_str(), 63); strlcpy(them->ident, "~cgiirc", 8); them->InvalidateCache(); } } virtual void OnError(ResolverError e, const std::string &errormessage) { if ((them) && (them == ServerInstance->SE->GetRef(theirfd))) { if (notify) ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), but their host can't be resolved from their %s!", them->nick, them->host,typ.c_str()); } } virtual ~CGIResolver() { } }; class ModuleCgiIRC : public Module { cmd_webirc* mycommand; bool NotifyOpers; CGIHostlist Hosts; public: ModuleCgiIRC(InspIRCd* Me) : Module(Me) { OnRehash(NULL,""); mycommand=new cmd_webirc(Me, Hosts, NotifyOpers); ServerInstance->AddCommand(mycommand); } void Implements(char* List) { List[I_OnRehash] = List[I_OnUserRegister] = List[I_OnCleanup] = List[I_OnSyncUserMetaData] = List[I_OnDecodeMetaData] = List[I_OnUserQuit] = List[I_OnUserConnect] = 1; } virtual Priority Prioritize() { // We want to get here before m_cloaking and m_hostchange etc return PRIORITY_FIRST; } virtual void OnRehash(userrec* user, const std::string ¶meter) { ConfigReader Conf(ServerInstance); NotifyOpers = Conf.ReadFlag("cgiirc", "opernotice", 0); // If we send an oper notice when a CGI:IRC has their host changed. if(Conf.GetError() == CONF_VALUE_NOT_FOUND) NotifyOpers = true; for(int i = 0; i < Conf.Enumerate("cgihost"); i++) { std::string hostmask = Conf.ReadValue("cgihost", "mask", i); // An allowed CGI:IRC host std::string type = Conf.ReadValue("cgihost", "type", i); // What type of user-munging we do on this host. std::string password = Conf.ReadValue("cgihost", "password", i); if(hostmask.length()) { if(type == "webirc" && !password.length()) { ServerInstance->Log(DEFAULT, "m_cgiirc: Missing password in config: %s", hostmask.c_str()); } else { CGItype cgitype; if(type == "pass") cgitype = PASS; else if(type == "ident") cgitype = IDENT; else if(type == "passfirst") cgitype = PASSFIRST; else if(type == "webirc") { cgitype = WEBIRC; } Hosts.push_back(CGIhost(hostmask,cgitype, password.length() ? password : "" )); } } else { ServerInstance->Log(DEFAULT, "m_cgiirc.so: Invalid value in config: %s", hostmask.c_str()); continue; } } } virtual void OnCleanup(int target_type, void* item) { if(target_type == TYPE_USER) { userrec* user = (userrec*)item; std::string* realhost; std::string* realip; if(user->GetExt("cgiirc_realhost", realhost)) { delete realhost; user->Shrink("cgiirc_realhost"); } if(user->GetExt("cgiirc_realip", realip)) { delete realip; user->Shrink("cgiirc_realip"); } } } virtual void OnSyncUserMetaData(userrec* user, Module* proto, void* opaque, const std::string &extname, bool displayable) { if((extname == "cgiirc_realhost") || (extname == "cgiirc_realip")) { std::string* data; if(user->GetExt(extname, data)) { proto->ProtoSendMetaData(opaque, TYPE_USER, user, extname, *data); } } } virtual void OnDecodeMetaData(int target_type, void* target, const std::string &extname, const std::string &extdata) { if(target_type == TYPE_USER) { userrec* dest = (userrec*)target; std::string* bleh; if(((extname == "cgiirc_realhost") || (extname == "cgiirc_realip")) && (!dest->GetExt(extname, bleh))) { dest->Extend(extname, new std::string(extdata)); } } } virtual void OnUserQuit(userrec* user, const std::string &message, const std::string &oper_message) { OnCleanup(TYPE_USER, user); } virtual int OnUserRegister(userrec* user) { for(CGIHostlist::iterator iter = Hosts.begin(); iter != Hosts.end(); iter++) { if(ServerInstance->MatchText(user->host, iter->hostmask) || ServerInstance->MatchText(user->GetIPString(), iter->hostmask)) { // Deal with it... if(iter->type == PASS) { CheckPass(user); // We do nothing if it fails so... } else if(iter->type == PASSFIRST && !CheckPass(user)) { // If the password lookup failed, try the ident CheckIdent(user); // If this fails too, do nothing } else if(iter->type == IDENT) { CheckIdent(user); // Nothing on failure. } else if(iter->type == IDENTFIRST && !CheckIdent(user)) { // If the ident lookup fails, try the password. CheckPass(user); } else if(iter->type == WEBIRC) { // We don't need to do anything here } return 0; } } return 0; } virtual void OnUserConnect(userrec* user) { std::string *webirc_hostname, *webirc_ip; if(user->GetExt("cgiirc_webirc_hostname", webirc_hostname)) { strlcpy(user->host,webirc_hostname->c_str(),63); strlcpy(user->dhost,webirc_hostname->c_str(),63); delete webirc_hostname; user->InvalidateCache(); user->Shrink("cgiirc_webirc_hostname"); } if(user->GetExt("cgiirc_webirc_ip", webirc_ip)) { bool valid=false; user->RemoveCloneCounts(); #ifdef IPV6 valid = (inet_pton(AF_INET6, webirc_ip->c_str(), &((sockaddr_in6*)user->ip)->sin6_addr) > 0); if(!valid) valid = (inet_aton(webirc_ip->c_str(), &((sockaddr_in*)user->ip)->sin_addr)); #else if (inet_aton(webirc_ip->c_str(), &((sockaddr_in*)user->ip)->sin_addr)) valid = true; #endif delete webirc_ip; user->InvalidateCache(); user->Shrink("cgiirc_webirc_ip"); ServerInstance->AddLocalClone(user); ServerInstance->AddGlobalClone(user); user->CheckClass(); } } bool CheckPass(userrec* user) { if(IsValidHost(user->password)) { user->Extend("cgiirc_realhost", new std::string(user->host)); user->Extend("cgiirc_realip", new std::string(user->GetIPString())); strlcpy(user->host, user->password, 64); strlcpy(user->dhost, user->password, 64); user->InvalidateCache(); bool valid = false; user->RemoveCloneCounts(); #ifdef IPV6 if (user->GetProtocolFamily() == AF_INET6) valid = (inet_pton(AF_INET6, user->password, &((sockaddr_in6*)user->ip)->sin6_addr) > 0); else valid = (inet_aton(user->password, &((sockaddr_in*)user->ip)->sin_addr)); #else if (inet_aton(user->password, &((sockaddr_in*)user->ip)->sin_addr)) valid = true; #endif ServerInstance->AddLocalClone(user); ServerInstance->AddGlobalClone(user); user->CheckClass(); if (valid) { /* We were given a IP in the password, we don't do DNS so they get this is as their host as well. */ if(NotifyOpers) ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from PASS", user->nick, user->host, user->password); } else { /* We got as resolved hostname in the password. */ try { bool cached; CGIResolver* r = new CGIResolver(this, ServerInstance, NotifyOpers, user->password, false, user, user->GetFd(), "PASS", cached); ServerInstance->AddResolver(r, cached); } catch (...) { if (NotifyOpers) ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), but i could not resolve their hostname!", user->nick, user->host); } } *user->password = 0; /*if(NotifyOpers) ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from PASS", user->nick, user->host, user->password);*/ return true; } return false; } bool CheckIdent(userrec* user) { int ip[4]; char* ident; char newip[16]; int len = strlen(user->ident); if(len == 8) ident = user->ident; else if(len == 9 && *user->ident == '~') ident = user->ident+1; else return false; for(int i = 0; i < 4; i++) if(!HexToInt(ip[i], ident + i*2)) return false; snprintf(newip, 16, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); user->Extend("cgiirc_realhost", new std::string(user->host)); user->Extend("cgiirc_realip", new std::string(user->GetIPString())); user->RemoveCloneCounts(); #ifdef IPV6 if (user->GetProtocolFamily() == AF_INET6) inet_pton(AF_INET6, newip, &((sockaddr_in6*)user->ip)->sin6_addr); else #endif inet_aton(newip, &((sockaddr_in*)user->ip)->sin_addr); ServerInstance->AddLocalClone(user); ServerInstance->AddGlobalClone(user); user->CheckClass(); try { strlcpy(user->host, newip, 16); strlcpy(user->dhost, newip, 16); strlcpy(user->ident, "~cgiirc", 8); bool cached; CGIResolver* r = new CGIResolver(this, ServerInstance, NotifyOpers, newip, false, user, user->GetFd(), "IDENT", cached); ServerInstance->AddResolver(r, cached); } catch (...) { strlcpy(user->host, newip, 16); strlcpy(user->dhost, newip, 16); strlcpy(user->ident, "~cgiirc", 8); user->InvalidateCache(); if(NotifyOpers) ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), but i could not resolve their hostname!", user->nick, user->host); } /*strlcpy(user->host, newip, 16); strlcpy(user->dhost, newip, 16); strlcpy(user->ident, "~cgiirc", 8);*/ return true; } bool IsValidHost(const std::string &host) { if(!host.size()) return false; for(unsigned int i = 0; i < host.size(); i++) { if( ((host[i] >= '0') && (host[i] <= '9')) || ((host[i] >= 'A') && (host[i] <= 'Z')) || ((host[i] >= 'a') && (host[i] <= 'z')) || ((host[i] == '-') && (i > 0) && (i+1 < host.size()) && (host[i-1] != '.') && (host[i+1] != '.')) || ((host[i] == '.') && (i > 0) && (i+1 < host.size())) ) continue; else return false; } return true; } bool IsValidIP(const std::string &ip) { if(ip.size() < 7 || ip.size() > 15) return false; short sincedot = 0; short dots = 0; for(unsigned int i = 0; i < ip.size(); i++) { if((dots <= 3) && (sincedot <= 3)) { if((ip[i] >= '0') && (ip[i] <= '9')) { sincedot++; } else if(ip[i] == '.') { sincedot = 0; dots++; } } else { return false; } } if(dots != 3) return false; return true; } bool HexToInt(int &out, const char* in) { char ip[3]; ip[0] = in[0]; ip[1] = in[1]; ip[2] = 0; out = strtol(ip, NULL, 16); if(out > 255 || out < 0) return false; return true; } virtual ~ModuleCgiIRC() { } virtual Version GetVersion() { return Version(1,1,0,0,VF_VENDOR,API_VERSION); } }; MODULE_INIT(ModuleCgiIRC) \ No newline at end of file +/* + * InspIRCd -- Internet Relay Chat Daemon + * + * Copyright (C) 2019 linuxdaemon + * Copyright (C) 2014 md_5 + * Copyright (C) 2014 Googolplexed + * Copyright (C) 2013, 2017-2018, 2020 Sadie Powell + * Copyright (C) 2013 Adam + * Copyright (C) 2012-2013, 2015 Attila Molnar + * Copyright (C) 2012, 2019 Robby + * Copyright (C) 2009-2010 Daniel De Graaf + * Copyright (C) 2009 Uli Schlachter + * Copyright (C) 2007-2009 Robin Burchell + * Copyright (C) 2007 Dennis Friis + * Copyright (C) 2006-2007, 2010 Craig Edwards + * + * This file is part of InspIRCd. InspIRCd is free software: you can + * redistribute it and/or modify it under the terms of the GNU General Public + * License as published by the Free Software Foundation, version 2. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + + +#include "inspircd.h" +#include "modules/ssl.h" +#include "modules/webirc.h" +#include "modules/whois.h" + +enum +{ + // InspIRCd-specific. + RPL_WHOISGATEWAY = 350 +}; + +// Encapsulates information about an ident host. +class IdentHost +{ + private: + std::string hostmask; + std::string newident; + + public: + IdentHost(const std::string& mask, const std::string& ident) + : hostmask(mask) + , newident(ident) + { + } + + const std::string& GetIdent() const + { + return newident; + } + + bool Matches(LocalUser* user) const + { + if (!InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map)) + return false; + + return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map); + } +}; + +// Encapsulates information about a WebIRC host. +class WebIRCHost +{ + private: + std::string hostmask; + std::string fingerprint; + std::string password; + std::string passhash; + + public: + WebIRCHost(const std::string& mask, const std::string& fp, const std::string& pass, const std::string& hash) + : hostmask(mask) + , fingerprint(fp) + , password(pass) + , passhash(hash) + { + } + + bool Matches(LocalUser* user, const std::string& pass, UserCertificateAPI& sslapi) const + { + // Did the user send a valid password? + if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash)) + return false; + + // Does the user have a valid fingerprint? + const std::string fp = sslapi ? sslapi->GetFingerprint(user) : ""; + if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint)) + return false; + + // Does the user's hostname match our hostmask? + if (InspIRCd::Match(user->GetRealHost(), hostmask, ascii_case_insensitive_map)) + return true; + + // Does the user's IP address match our hostmask? + return InspIRCd::MatchCIDR(user->GetIPString(), hostmask, ascii_case_insensitive_map); + } +}; + +/* + * WEBIRC + * This is used for the webirc method of CGIIRC auth, and is (really) the best way to do these things. + * Syntax: WEBIRC password gateway hostname ip + * Where password is a shared key, gateway is the name of the WebIRC gateway and version (e.g. cgiirc), hostname + * is the resolved host of the client issuing the command and IP is the real IP of the client. + * + * How it works: + * To tie in with the rest of cgiirc module, and to avoid race conditions, /webirc is only processed locally + * and simply sets metadata on the user, which is later decoded on full connect to give something meaningful. + */ +class CommandWebIRC : public SplitCommand +{ + public: + std::vector hosts; + bool notify; + StringExtItem gateway; + StringExtItem realhost; + StringExtItem realip; + UserCertificateAPI sslapi; + Events::ModuleEventProvider webircevprov; + + CommandWebIRC(Module* Creator) + : SplitCommand(Creator, "WEBIRC", 4) + , gateway("cgiirc_gateway", ExtensionItem::EXT_USER, Creator) + , realhost("cgiirc_realhost", ExtensionItem::EXT_USER, Creator) + , realip("cgiirc_realip", ExtensionItem::EXT_USER, Creator) + , sslapi(Creator) + , webircevprov(Creator, "event/webirc") + { + allow_empty_last_param = false; + works_before_reg = true; + this->syntax = " []"; + } + + CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE + { + if (user->registered == REG_ALL || realhost.get(user)) + return CMD_FAILURE; + + for (std::vector::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter) + { + // If we don't match the host then skip to the next host. + if (!iter->Matches(user, parameters[0], sslapi)) + continue; + + irc::sockets::sockaddrs ipaddr; + if (!irc::sockets::aptosa(parameters[3], user->client_sa.port(), ipaddr)) + { + WriteLog("Connecting user %s (%s) tried to use WEBIRC but gave an invalid IP address.", + user->uuid.c_str(), user->GetIPString().c_str()); + ServerInstance->Users->QuitUser(user, "WEBIRC: IP address is invalid: " + parameters[3]); + return CMD_FAILURE; + } + + // The user matched a WebIRC block! + gateway.set(user, parameters[1]); + realhost.set(user, user->GetRealHost()); + realip.set(user, user->GetIPString()); + + WriteLog("Connecting user %s is using a WebIRC gateway; changing their IP from %s to %s.", + user->uuid.c_str(), user->GetIPString().c_str(), parameters[3].c_str()); + + // If we have custom flags then deal with them. + WebIRC::FlagMap flags; + const bool hasflags = (parameters.size() > 4); + if (hasflags) + { + // Parse the flags. + irc::spacesepstream flagstream(parameters[4]); + for (std::string flag; flagstream.GetToken(flag); ) + { + // Does this flag have a value? + const size_t separator = flag.find('='); + if (separator == std::string::npos) + { + flags[flag]; + continue; + } + + // The flag has a value! + const std::string key = flag.substr(0, separator); + const std::string value = flag.substr(separator + 1); + flags[key] = value; + } + } + + // Inform modules about the WebIRC attempt. + FOREACH_MOD_CUSTOM(webircevprov, WebIRC::EventListener, OnWebIRCAuth, (user, (hasflags ? &flags : NULL))); + + // Set the IP address sent via WEBIRC. We ignore the hostname and lookup + // instead do our own DNS lookups because of unreliable gateways. + user->SetClientIP(ipaddr); + return CMD_SUCCESS; + } + + WriteLog("Connecting user %s (%s) tried to use WEBIRC but didn't match any configured WebIRC hosts.", + user->uuid.c_str(), user->GetIPString().c_str()); + ServerInstance->Users->QuitUser(user, "WEBIRC: you don't match any configured WebIRC hosts."); + return CMD_FAILURE; + } + + void WriteLog(const char* message, ...) CUSTOM_PRINTF(2, 3) + { + std::string buffer; + VAFORMAT(buffer, message, message); + + // If we are sending a snotice then the message will already be + // written to the logfile. + if (notify) + ServerInstance->SNO->WriteGlobalSno('w', buffer); + else + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, buffer); + } +}; + +class ModuleCgiIRC + : public Module + , public WebIRC::EventListener + , public Whois::EventListener +{ + private: + CommandWebIRC cmd; + std::vector hosts; + + static bool ParseIdent(LocalUser* user, irc::sockets::sockaddrs& out) + { + const char* ident = NULL; + if (user->ident.length() == 8) + { + // The ident is an IPv4 address encoded in hexadecimal with two characters + // per address segment. + ident = user->ident.c_str(); + } + else if (user->ident.length() == 9 && user->ident[0] == '~') + { + // The same as above but m_ident got to this user before we did. Strip the + // ident prefix and continue as normal. + ident = user->ident.c_str() + 1; + } + else + { + // The user either does not have an IPv4 in their ident or the gateway server + // is also running an identd. In the latter case there isn't really a lot we + // can do so we just assume that the client in question is not connecting via + // an ident gateway. + return false; + } + + // Try to convert the IP address to a string. If this fails then the user + // does not have an IPv4 address in their ident. + errno = 0; + unsigned long address = strtoul(ident, NULL, 16); + if (errno) + return false; + + out.in4.sin_family = AF_INET; + out.in4.sin_addr.s_addr = htonl(address); + return true; + } + + public: + ModuleCgiIRC() + : WebIRC::EventListener(this) + , Whois::EventListener(this) + , cmd(this) + { + } + + void init() CXX11_OVERRIDE + { + ServerInstance->SNO->EnableSnomask('w', "CGIIRC"); + } + + void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE + { + std::vector identhosts; + std::vector webirchosts; + + ConfigTagList tags = ServerInstance->Config->ConfTags("cgihost"); + for (ConfigIter i = tags.first; i != tags.second; ++i) + { + ConfigTag* tag = i->second; + + // Ensure that we have the parameter. + const std::string mask = tag->getString("mask"); + if (mask.empty()) + throw ModuleException(" is a mandatory field, at " + tag->getTagLocation()); + + // Determine what lookup type this host uses. + const std::string type = tag->getString("type"); + if (stdalgo::string::equalsci(type, "ident")) + { + // The IP address should be looked up from the hex IP address. + const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent); + identhosts.push_back(IdentHost(mask, newident)); + } + else if (stdalgo::string::equalsci(type, "webirc")) + { + // The IP address will be received via the WEBIRC command. + const std::string fingerprint = tag->getString("fingerprint"); + const std::string password = tag->getString("password"); + const std::string passwordhash = tag->getString("hash", "plaintext", 1); + + // WebIRC blocks require a password. + if (fingerprint.empty() && password.empty()) + throw ModuleException("When using either the fingerprint or password field is required, at " + tag->getTagLocation()); + + if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext")) + { + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, " tag at %s contains an plain text password, this is insecure!", + tag->getTagLocation().c_str()); + } + + webirchosts.push_back(WebIRCHost(mask, fingerprint, password, passwordhash)); + } + else + { + throw ModuleException(type + " is an invalid type, at " + tag->getTagLocation()); + } + } + + // The host configuration was valid so we can apply it. + hosts.swap(identhosts); + cmd.hosts.swap(webirchosts); + + // Do we send an oper notice when a m_cgiirc client has their IP changed? + cmd.notify = ServerInstance->Config->ConfValue("cgiirc")->getBool("opernotice", true); + } + + ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE + { + // If is not set then we have nothing to do. + const std::string webirc = myclass->config->getString("webirc"); + if (webirc.empty()) + return MOD_RES_PASSTHRU; + + // If the user is not connecting via a WebIRC gateway then they + // cannot match this connect class. + const std::string* gateway = cmd.gateway.get(user); + if (!gateway) + { + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires a connection via a WebIRC gateway", + myclass->GetName().c_str()); + return MOD_RES_DENY; + } + + // If the gateway matches the constraint then + // allow the check to continue. Otherwise, reject it. + if (!InspIRCd::Match(*gateway, webirc)) + { + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s", + myclass->GetName().c_str(), gateway->c_str(), webirc.c_str()); + return MOD_RES_DENY; + } + + return MOD_RES_PASSTHRU; + } + + ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE + { + // There is no need to check for gateways if one is already being used. + if (cmd.realhost.get(user)) + return MOD_RES_PASSTHRU; + + for (std::vector::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter) + { + // If we don't match the host then skip to the next host. + if (!iter->Matches(user)) + continue; + + // We have matched an block! Try to parse the encoded IPv4 address + // out of the ident. + irc::sockets::sockaddrs address(user->client_sa); + if (!ParseIdent(user, address)) + return MOD_RES_PASSTHRU; + + // Store the hostname and IP of the gateway for later use. + cmd.realhost.set(user, user->GetRealHost()); + cmd.realip.set(user, user->GetIPString()); + + const std::string& newident = iter->GetIdent(); + cmd.WriteLog("Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.", + user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str()); + + user->ChangeIdent(newident); + user->SetClientIP(address); + break; + } + return MOD_RES_PASSTHRU; + } + + void OnWebIRCAuth(LocalUser* user, const WebIRC::FlagMap* flags) CXX11_OVERRIDE + { + // We are only interested in connection flags. If none have been + // given then we have nothing to do. + if (!flags) + return; + + WebIRC::FlagMap::const_iterator cport = flags->find("remote-port"); + if (cport != flags->end()) + { + // If we can't parse the port then just give up. + uint16_t port = ConvToNum(cport->second); + if (port) + { + switch (user->client_sa.family()) + { + case AF_INET: + user->client_sa.in4.sin_port = htons(port); + break; + + case AF_INET6: + user->client_sa.in6.sin6_port = htons(port); + break; + + default: + // If we have reached this point then we have encountered a bug. + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!", + user->uuid.c_str(), user->client_sa.family()); + return; + } + } + } + + WebIRC::FlagMap::const_iterator sport = flags->find("local-port"); + if (sport != flags->end()) + { + // If we can't parse the port then just give up. + uint16_t port = ConvToNum(sport->second); + if (port) + { + switch (user->server_sa.family()) + { + case AF_INET: + user->server_sa.in4.sin_port = htons(port); + break; + + case AF_INET6: + user->server_sa.in6.sin6_port = htons(port); + break; + + default: + // If we have reached this point then we have encountered a bug. + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!", + user->uuid.c_str(), user->server_sa.family()); + return; + } + } + } + } + + void OnWhois(Whois::Context& whois) CXX11_OVERRIDE + { + if (!whois.IsSelfWhois() && !whois.GetSource()->HasPrivPermission("users/auspex")) + return; + + // If these fields are not set then the client is not using a gateway. + const std::string* realhost = cmd.realhost.get(whois.GetTarget()); + const std::string* realip = cmd.realip.get(whois.GetTarget()); + if (!realhost || !realip) + return; + + const std::string* gateway = cmd.gateway.get(whois.GetTarget()); + if (gateway) + whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via the " + *gateway + " WebIRC gateway"); + else + whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via an ident gateway"); + } + + Version GetVersion() CXX11_OVERRIDE + { + return Version("Adds the ability for IRC gateways to forward the real IP address of users connecting through them.", VF_VENDOR); + } +}; + +MODULE_INIT(ModuleCgiIRC)