X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_cgiirc.cpp;h=9ad25e6fbaec626573fe9402a8f08a3bf1f81b02;hb=80e81e3b81b779901fd9d67f8ae030ee30c0bcec;hp=16faf4f295e95826cd54f62fdc18c51fa7bb4afa;hpb=cadc11999ee28545e9beb92de116c151832af5c4;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp index 16faf4f29..9ad25e6fb 100644 --- a/src/modules/m_cgiirc.cpp +++ b/src/modules/m_cgiirc.cpp @@ -1,520 +1,541 @@ -/* +------------------------------------+ - * | Inspire Internet Relay Chat Daemon | - * +------------------------------------+ +/* + * InspIRCd -- Internet Relay Chat Daemon * - * InspIRCd: (C) 2002-2007 InspIRCd Development Team - * See: http://www.inspircd.org/wiki/index.php/Credits + * Copyright (C) 2019 linuxdaemon + * Copyright (C) 2014 md_5 + * Copyright (C) 2014 Googolplexed + * Copyright (C) 2013, 2017-2018, 2020-2021 Sadie Powell + * Copyright (C) 2013 Adam + * Copyright (C) 2012-2013, 2015 Attila Molnar + * Copyright (C) 2012, 2019 Robby + * Copyright (C) 2009-2010 Daniel De Graaf + * Copyright (C) 2009 Uli Schlachter + * Copyright (C) 2007-2009 Robin Burchell + * Copyright (C) 2007 Dennis Friis + * Copyright (C) 2006-2007, 2010 Craig Edwards * - * This program is free but copyrighted software; see - * the file COPYING for details. + * This file is part of InspIRCd. InspIRCd is free software: you can + * redistribute it and/or modify it under the terms of the GNU General Public + * License as published by the Free Software Foundation, version 2. * - * --------------------------------------------------- + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . */ -#include "inspircd.h" - -#ifndef WINDOWS -#include -#include -#include -#endif -/* $ModDesc: Change user's hosts connecting from known CGI:IRC hosts */ +#include "inspircd.h" +#include "modules/ssl.h" +#include "modules/webirc.h" +#include "modules/whois.h" -enum CGItype { INVALID, PASS, IDENT, PASSFIRST, IDENTFIRST, WEBIRC }; +enum +{ + // InspIRCd-specific. + RPL_WHOISGATEWAY = 350 +}; +// One or more hostmask globs or CIDR ranges. +typedef std::vector MaskList; -/** Holds a CGI site's details - */ -class CGIhost : public classbase +// Encapsulates information about an ident host. +class IdentHost { -public: - std::string hostmask; - CGItype type; - std::string password; + private: + MaskList hostmasks; + std::string newident; - CGIhost(const std::string &mask = "", CGItype t = IDENTFIRST, const std::string &password ="") - : hostmask(mask), type(t), password(password) + public: + IdentHost(const MaskList& masks, const std::string& ident) + : hostmasks(masks) + , newident(ident) { } -}; -typedef std::vector CGIHostlist; -class CommandWebirc : public Command -{ - InspIRCd* Me; - CGIHostlist Hosts; - bool notify; - public: - CommandWebirc(InspIRCd* Me, CGIHostlist &Hosts, bool notify) : Command(Me, "WEBIRC", 0, 4, true), Hosts(Hosts), notify(notify) - { - this->source = "m_cgiirc.so"; - this->syntax = "password client hostname ip"; - } - CmdResult Handle(const char** parameters, int pcnt, User *user) + const std::string& GetIdent() const + { + return newident; + } + + bool Matches(LocalUser* user) const + { + for (MaskList::const_iterator iter = hostmasks.begin(); iter != hostmasks.end(); ++iter) { - if(user->registered == REG_ALL) - return CMD_FAILURE; - - for(CGIHostlist::iterator iter = Hosts.begin(); iter != Hosts.end(); iter++) - { - if(ServerInstance->MatchText(user->host, iter->hostmask) || ServerInstance->MatchText(user->GetIPString(), iter->hostmask)) - { - if(iter->type == WEBIRC && parameters[0] == iter->password) - { - user->Extend("cgiirc_realhost", new std::string(user->host)); - user->Extend("cgiirc_realip", new std::string(user->GetIPString())); - if (notify) - ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from %s", user->nick, user->host, parameters[2], user->host); - user->Extend("cgiirc_webirc_hostname", new std::string(parameters[2])); - user->Extend("cgiirc_webirc_ip", new std::string(parameters[3])); - return CMD_LOCALONLY; - } - } - } - return CMD_FAILURE; + // Does the user's hostname match this hostmask? + if (InspIRCd::Match(user->GetRealHost(), *iter, ascii_case_insensitive_map)) + return true; + + // Does the user's IP address match this hostmask? + if (InspIRCd::MatchCIDR(user->GetIPString(), *iter, ascii_case_insensitive_map)) + return true; } -}; + // The user didn't match any hostmasks. + return false; + } +}; -/** Resolver for CGI:IRC hostnames encoded in ident/GECOS - */ -class CGIResolver : public Resolver +// Encapsulates information about a WebIRC host. +class WebIRCHost { - std::string typ; - int theirfd; - User* them; - bool notify; - public: - CGIResolver(Module* me, InspIRCd* ServerInstance, bool NotifyOpers, const std::string &source, bool forward, User* u, int userfd, const std::string &type, bool &cached) - : Resolver(ServerInstance, source, forward ? DNS_QUERY_A : DNS_QUERY_PTR4, cached, me), typ(type), theirfd(userfd), them(u), notify(NotifyOpers) { } + private: + MaskList hostmasks; + std::string fingerprint; + std::string password; + std::string passhash; - virtual void OnLookupComplete(const std::string &result, unsigned int ttl, bool cached, int resultnum = 0) + public: + WebIRCHost(const MaskList& masks, const std::string& fp, const std::string& pass, const std::string& hash) + : hostmasks(masks) + , fingerprint(fp) + , password(pass) + , passhash(hash) { - if (resultnum) - return; - - /* Check the user still exists */ - if ((them) && (them == ServerInstance->SE->GetRef(theirfd))) - { - if (notify) - ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from %s", them->nick, them->host, result.c_str(), typ.c_str()); - - strlcpy(them->host, result.c_str(), 63); - strlcpy(them->dhost, result.c_str(), 63); - strlcpy(them->ident, "~cgiirc", 8); - them->InvalidateCache(); - } } - virtual void OnError(ResolverError e, const std::string &errormessage) + bool Matches(LocalUser* user, const std::string& pass, UserCertificateAPI& sslapi) const { - if ((them) && (them == ServerInstance->SE->GetRef(theirfd))) + // Did the user send a valid password? + if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash)) + return false; + + // Does the user have a valid fingerprint? + const std::string fp = sslapi ? sslapi->GetFingerprint(user) : ""; + if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint)) + return false; + + for (MaskList::const_iterator iter = hostmasks.begin(); iter != hostmasks.end(); ++iter) { - if (notify) - ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), but their host can't be resolved from their %s!", them->nick, them->host,typ.c_str()); + // Does the user's hostname match this hostmask? + if (InspIRCd::Match(user->GetRealHost(), *iter, ascii_case_insensitive_map)) + return true; + + // Does the user's IP address match this hostmask? + if (InspIRCd::MatchCIDR(user->GetIPString(), *iter, ascii_case_insensitive_map)) + return true; } - } - virtual ~CGIResolver() - { + // The user didn't match any hostmasks. + return false; } }; -class ModuleCgiIRC : public Module +class CommandHexIP : public SplitCommand { - CommandWebirc* mycommand; - bool NotifyOpers; - CGIHostlist Hosts; -public: - ModuleCgiIRC(InspIRCd* Me) : Module(Me) - { - - OnRehash(NULL,""); - mycommand=new CommandWebirc(Me, Hosts, NotifyOpers); - ServerInstance->AddCommand(mycommand); - Implementation eventlist[] = { I_OnRehash, I_OnUserRegister, I_OnCleanup, I_OnSyncUserMetaData, I_OnDecodeMetaData, I_OnUserQuit, I_OnUserConnect }; - ServerInstance->Modules->Attach(eventlist, this, 7); - } - - void Implements(char* List) - { - List[I_OnRehash] = List[I_OnUserRegister] = List[I_OnCleanup] = List[I_OnSyncUserMetaData] = List[I_OnDecodeMetaData] = List[I_OnUserQuit] = List[I_OnUserConnect] = 1; - } - - virtual void Prioritize() + public: + CommandHexIP(Module* Creator) + : SplitCommand(Creator, "HEXIP", 1) { - ServerInstance->Modules->SetPriority(this, I_OnUserConnect, PRIO_FIRST); + allow_empty_last_param = false; + Penalty = 2; + syntax = ""; } - virtual void OnRehash(User* user, const std::string ¶meter) + CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE { - ConfigReader Conf(ServerInstance); - - NotifyOpers = Conf.ReadFlag("cgiirc", "opernotice", 0); // If we send an oper notice when a CGI:IRC has their host changed. - - if(Conf.GetError() == CONF_VALUE_NOT_FOUND) - NotifyOpers = true; - - for(int i = 0; i < Conf.Enumerate("cgihost"); i++) + irc::sockets::sockaddrs sa; + if (irc::sockets::aptosa(parameters[0], 0, sa)) { - std::string hostmask = Conf.ReadValue("cgihost", "mask", i); // An allowed CGI:IRC host - std::string type = Conf.ReadValue("cgihost", "type", i); // What type of user-munging we do on this host. - std::string password = Conf.ReadValue("cgihost", "password", i); - - if(hostmask.length()) + if (sa.family() != AF_INET) { - if (type == "webirc" && !password.length()) { - ServerInstance->Log(DEFAULT, "m_cgiirc: Missing password in config: %s", hostmask.c_str()); - } - else - { - CGItype cgitype = INVALID; - if (type == "pass") - cgitype = PASS; - else if (type == "ident") - cgitype = IDENT; - else if (type == "passfirst") - cgitype = PASSFIRST; - else if (type == "webirc") - { - cgitype = WEBIRC; - } + user->WriteNotice("*** HEXIP: You can only hex encode an IPv4 address!"); + return CMD_FAILURE; + } - if (cgitype == INVALID) - cgitype = PASS; + uint32_t addr = sa.in4.sin_addr.s_addr; + user->WriteNotice(InspIRCd::Format("*** HEXIP: %s encodes to %02x%02x%02x%02x.", + sa.addr().c_str(), (addr & 0xFF), ((addr >> 8) & 0xFF), ((addr >> 16) & 0xFF), + ((addr >> 24) & 0xFF))); + return CMD_SUCCESS; + } - Hosts.push_back(CGIhost(hostmask,cgitype, password.length() ? password : "" )); - } - } - else - { - ServerInstance->Log(DEFAULT, "m_cgiirc.so: Invalid value in config: %s", hostmask.c_str()); - continue; - } + if (ParseIP(parameters[0], sa)) + { + user->WriteNotice(InspIRCd::Format("*** HEXIP: %s decodes to %s.", + parameters[0].c_str(), sa.addr().c_str())); + return CMD_SUCCESS; } + + user->WriteNotice(InspIRCd::Format("*** HEXIP: %s is not a valid raw or hex encoded IPv4 address.", + parameters[0].c_str())); + return CMD_FAILURE; } - virtual void OnCleanup(int target_type, void* item) + static bool ParseIP(const std::string& in, irc::sockets::sockaddrs& out) { - if(target_type == TYPE_USER) + const char* ident = NULL; + if (in.length() == 8) { - User* user = (User*)item; - std::string* realhost; - std::string* realip; - - if(user->GetExt("cgiirc_realhost", realhost)) - { - delete realhost; - user->Shrink("cgiirc_realhost"); - } - - if(user->GetExt("cgiirc_realip", realip)) - { - delete realip; - user->Shrink("cgiirc_realip"); - } + // The ident is an IPv4 address encoded in hexadecimal with two characters + // per address segment. + ident = in.c_str(); } - } - - virtual void OnSyncUserMetaData(User* user, Module* proto, void* opaque, const std::string &extname, bool displayable) - { - if((extname == "cgiirc_realhost") || (extname == "cgiirc_realip")) + else if (in.length() == 9 && in[0] == '~') { - std::string* data; - - if(user->GetExt(extname, data)) - { - proto->ProtoSendMetaData(opaque, TYPE_USER, user, extname, *data); - } + // The same as above but m_ident got to this user before we did. Strip the + // ident prefix and continue as normal. + ident = in.c_str() + 1; } + else + { + // The user either does not have an IPv4 in their ident or the gateway server + // is also running an identd. In the latter case there isn't really a lot we + // can do so we just assume that the client in question is not connecting via + // an ident gateway. + return false; + } + + // Try to convert the IP address to a string. If this fails then the user + // does not have an IPv4 address in their ident. + errno = 0; + unsigned long address = strtoul(ident, NULL, 16); + if (errno) + return false; + + out.in4.sin_family = AF_INET; + out.in4.sin_addr.s_addr = htonl(address); + return true; } +}; - virtual void OnDecodeMetaData(int target_type, void* target, const std::string &extname, const std::string &extdata) +class CommandWebIRC : public SplitCommand +{ + public: + std::vector hosts; + bool notify; + StringExtItem gateway; + StringExtItem realhost; + StringExtItem realip; + UserCertificateAPI sslapi; + Events::ModuleEventProvider webircevprov; + + CommandWebIRC(Module* Creator) + : SplitCommand(Creator, "WEBIRC", 4) + , gateway("cgiirc_gateway", ExtensionItem::EXT_USER, Creator) + , realhost("cgiirc_realhost", ExtensionItem::EXT_USER, Creator) + , realip("cgiirc_realip", ExtensionItem::EXT_USER, Creator) + , sslapi(Creator) + , webircevprov(Creator, "event/webirc") { - if(target_type == TYPE_USER) + allow_empty_last_param = false; + works_before_reg = true; + this->syntax = " []"; + } + + CmdResult HandleLocal(LocalUser* user, const Params& parameters) CXX11_OVERRIDE + { + if (user->registered == REG_ALL || realhost.get(user)) + return CMD_FAILURE; + + for (std::vector::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter) { - User* dest = (User*)target; - std::string* bleh; - if(((extname == "cgiirc_realhost") || (extname == "cgiirc_realip")) && (!dest->GetExt(extname, bleh))) + // If we don't match the host then skip to the next host. + if (!iter->Matches(user, parameters[0], sslapi)) + continue; + + irc::sockets::sockaddrs ipaddr; + if (!irc::sockets::aptosa(parameters[3], user->client_sa.port(), ipaddr)) { - dest->Extend(extname, new std::string(extdata)); + WriteLog("Connecting user %s (%s) tried to use WEBIRC but gave an invalid IP address.", + user->uuid.c_str(), user->GetIPString().c_str()); + ServerInstance->Users->QuitUser(user, "WEBIRC: IP address is invalid: " + parameters[3]); + return CMD_FAILURE; } - } - } - virtual void OnUserQuit(User* user, const std::string &message, const std::string &oper_message) - { - OnCleanup(TYPE_USER, user); - } - + // The user matched a WebIRC block! + gateway.set(user, parameters[1]); + realhost.set(user, user->GetRealHost()); + realip.set(user, user->GetIPString()); + + WriteLog("Connecting user %s is using the %s WebIRC gateway; changing their IP from %s to %s.", + user->uuid.c_str(), parameters[1].c_str(), + user->GetIPString().c_str(), parameters[3].c_str()); - virtual int OnUserRegister(User* user) - { - for(CGIHostlist::iterator iter = Hosts.begin(); iter != Hosts.end(); iter++) - { - if(ServerInstance->MatchText(user->host, iter->hostmask) || ServerInstance->MatchText(user->GetIPString(), iter->hostmask)) + // If we have custom flags then deal with them. + WebIRC::FlagMap flags; + const bool hasflags = (parameters.size() > 4); + if (hasflags) { - // Deal with it... - if(iter->type == PASS) - { - CheckPass(user); // We do nothing if it fails so... - } - else if(iter->type == PASSFIRST && !CheckPass(user)) - { - // If the password lookup failed, try the ident - CheckIdent(user); // If this fails too, do nothing - } - else if(iter->type == IDENT) + // Parse the flags. + irc::spacesepstream flagstream(parameters[4]); + for (std::string flag; flagstream.GetToken(flag); ) { - CheckIdent(user); // Nothing on failure. - } - else if(iter->type == IDENTFIRST && !CheckIdent(user)) - { - // If the ident lookup fails, try the password. - CheckPass(user); - } - else if(iter->type == WEBIRC) - { - // We don't need to do anything here + // Does this flag have a value? + const size_t separator = flag.find('='); + if (separator == std::string::npos) + { + flags[flag]; + continue; + } + + // The flag has a value! + const std::string key = flag.substr(0, separator); + const std::string value = flag.substr(separator + 1); + flags[key] = value; } - return 0; } + + // Inform modules about the WebIRC attempt. + FOREACH_MOD_CUSTOM(webircevprov, WebIRC::EventListener, OnWebIRCAuth, (user, (hasflags ? &flags : NULL))); + + // Set the IP address sent via WEBIRC. We ignore the hostname and lookup + // instead do our own DNS lookups because of unreliable gateways. + user->SetClientIP(ipaddr); + return CMD_SUCCESS; } - return 0; + + WriteLog("Connecting user %s (%s) tried to use WEBIRC but didn't match any configured WebIRC hosts.", + user->uuid.c_str(), user->GetIPString().c_str()); + ServerInstance->Users->QuitUser(user, "WEBIRC: you don't match any configured WebIRC hosts."); + return CMD_FAILURE; } - virtual void OnUserConnect(User* user) + void WriteLog(const char* message, ...) CUSTOM_PRINTF(2, 3) + { + std::string buffer; + VAFORMAT(buffer, message, message); + + // If we are sending a snotice then the message will already be + // written to the logfile. + if (notify) + ServerInstance->SNO->WriteGlobalSno('w', buffer); + else + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, buffer); + } +}; + +class ModuleCgiIRC + : public Module + , public WebIRC::EventListener + , public Whois::EventListener +{ + private: + CommandHexIP cmdhexip; + CommandWebIRC cmdwebirc; + std::vector hosts; + + public: + ModuleCgiIRC() + : WebIRC::EventListener(this) + , Whois::EventListener(this) + , cmdhexip(this) + , cmdwebirc(this) { - std::string *webirc_hostname, *webirc_ip; - if(user->GetExt("cgiirc_webirc_hostname", webirc_hostname)) - { - strlcpy(user->host,webirc_hostname->c_str(),63); - strlcpy(user->dhost,webirc_hostname->c_str(),63); - delete webirc_hostname; - user->InvalidateCache(); - user->Shrink("cgiirc_webirc_hostname"); - } - if(user->GetExt("cgiirc_webirc_ip", webirc_ip)) - { - bool valid=false; - user->RemoveCloneCounts(); -#ifdef IPV6 - valid = (inet_pton(AF_INET6, webirc_ip->c_str(), &((sockaddr_in6*)user->ip)->sin6_addr) > 0); - - if(!valid) - valid = (inet_aton(webirc_ip->c_str(), &((sockaddr_in*)user->ip)->sin_addr)); -#else - if (inet_aton(webirc_ip->c_str(), &((sockaddr_in*)user->ip)->sin_addr)) - valid = true; -#endif - - delete webirc_ip; - user->InvalidateCache(); - user->Shrink("cgiirc_webirc_ip"); - ServerInstance->AddLocalClone(user); - ServerInstance->AddGlobalClone(user); - user->CheckClass(); - } } - bool CheckPass(User* user) + void init() CXX11_OVERRIDE { - if(IsValidHost(user->password)) + ServerInstance->SNO->EnableSnomask('w', "CGIIRC"); + } + + void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE + { + std::vector identhosts; + std::vector webirchosts; + + ConfigTagList tags = ServerInstance->Config->ConfTags("cgihost"); + for (ConfigIter i = tags.first; i != tags.second; ++i) { - user->Extend("cgiirc_realhost", new std::string(user->host)); - user->Extend("cgiirc_realip", new std::string(user->GetIPString())); - strlcpy(user->host, user->password, 64); - strlcpy(user->dhost, user->password, 64); - user->InvalidateCache(); - - bool valid = false; - user->RemoveCloneCounts(); -#ifdef IPV6 - if (user->GetProtocolFamily() == AF_INET6) - valid = (inet_pton(AF_INET6, user->password, &((sockaddr_in6*)user->ip)->sin6_addr) > 0); - else - valid = (inet_aton(user->password, &((sockaddr_in*)user->ip)->sin_addr)); -#else - if (inet_aton(user->password, &((sockaddr_in*)user->ip)->sin_addr)) - valid = true; -#endif - ServerInstance->AddLocalClone(user); - ServerInstance->AddGlobalClone(user); - user->CheckClass(); - - if (valid) + ConfigTag* tag = i->second; + + MaskList masks; + irc::spacesepstream maskstream(tag->getString("mask")); + for (std::string mask; maskstream.GetToken(mask); ) + masks.push_back(mask); + + // Ensure that we have the parameter. + if (masks.empty()) + throw ModuleException(" is a mandatory field, at " + tag->getTagLocation()); + + // Determine what lookup type this host uses. + const std::string type = tag->getString("type"); + if (stdalgo::string::equalsci(type, "ident")) { - /* We were given a IP in the password, we don't do DNS so they get this is as their host as well. */ - if(NotifyOpers) - ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from PASS", user->nick, user->host, user->password); + // The IP address should be looked up from the hex IP address. + const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent); + identhosts.push_back(IdentHost(masks, newident)); } - else + else if (stdalgo::string::equalsci(type, "webirc")) { - /* We got as resolved hostname in the password. */ - try - { + // The IP address will be received via the WEBIRC command. + const std::string fingerprint = tag->getString("fingerprint"); + const std::string password = tag->getString("password"); + const std::string passwordhash = tag->getString("hash", "plaintext", 1); - bool cached; - CGIResolver* r = new CGIResolver(this, ServerInstance, NotifyOpers, user->password, false, user, user->GetFd(), "PASS", cached); - ServerInstance->AddResolver(r, cached); - } - catch (...) + // WebIRC blocks require a password. + if (fingerprint.empty() && password.empty()) + throw ModuleException("When using either the fingerprint or password field is required, at " + tag->getTagLocation()); + + if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext")) { - if (NotifyOpers) - ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), but i could not resolve their hostname!", user->nick, user->host); + ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, " tag at %s contains an plain text password, this is insecure!", + tag->getTagLocation().c_str()); } + + webirchosts.push_back(WebIRCHost(masks, fingerprint, password, passwordhash)); + } + else + { + throw ModuleException(type + " is an invalid type, at " + tag->getTagLocation()); } - - *user->password = 0; + } - /*if(NotifyOpers) - ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), changing real host to %s from PASS", user->nick, user->host, user->password);*/ + // The host configuration was valid so we can apply it. + hosts.swap(identhosts); + cmdwebirc.hosts.swap(webirchosts); - return true; - } - - return false; + // Do we send an oper notice when a m_cgiirc client has their IP changed? + cmdwebirc.notify = ServerInstance->Config->ConfValue("cgiirc")->getBool("opernotice", true); } - - bool CheckIdent(User* user) + + ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE { - int ip[4]; - char* ident; - char newip[16]; - int len = strlen(user->ident); - - if(len == 8) - ident = user->ident; - else if(len == 9 && *user->ident == '~') - ident = user->ident+1; - else - return false; - - for(int i = 0; i < 4; i++) - if(!HexToInt(ip[i], ident + i*2)) - return false; - - snprintf(newip, 16, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); - - user->Extend("cgiirc_realhost", new std::string(user->host)); - user->Extend("cgiirc_realip", new std::string(user->GetIPString())); - user->RemoveCloneCounts(); -#ifdef IPV6 - if (user->GetProtocolFamily() == AF_INET6) - inet_pton(AF_INET6, newip, &((sockaddr_in6*)user->ip)->sin6_addr); - else -#endif - inet_aton(newip, &((sockaddr_in*)user->ip)->sin_addr); - ServerInstance->AddLocalClone(user); - ServerInstance->AddGlobalClone(user); - user->CheckClass(); - try + // If is not set then we have nothing to do. + const std::string webirc = myclass->config->getString("webirc"); + if (webirc.empty()) + return MOD_RES_PASSTHRU; + + // If the user is not connecting via a WebIRC gateway then they + // cannot match this connect class. + const std::string* gateway = cmdwebirc.gateway.get(user); + if (!gateway) { - strlcpy(user->host, newip, 16); - strlcpy(user->dhost, newip, 16); - strlcpy(user->ident, "~cgiirc", 8); - - bool cached; - CGIResolver* r = new CGIResolver(this, ServerInstance, NotifyOpers, newip, false, user, user->GetFd(), "IDENT", cached); - ServerInstance->AddResolver(r, cached); + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires a connection via a WebIRC gateway", + myclass->GetName().c_str()); + return MOD_RES_DENY; } - catch (...) - { - strlcpy(user->host, newip, 16); - strlcpy(user->dhost, newip, 16); - strlcpy(user->ident, "~cgiirc", 8); - user->InvalidateCache(); - if(NotifyOpers) - ServerInstance->WriteOpers("*** Connecting user %s detected as using CGI:IRC (%s), but i could not resolve their hostname!", user->nick, user->host); + // If the gateway matches the constraint then + // allow the check to continue. Otherwise, reject it. + if (!InspIRCd::Match(*gateway, webirc)) + { + ServerInstance->Logs->Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s", + myclass->GetName().c_str(), gateway->c_str(), webirc.c_str()); + return MOD_RES_DENY; } - /*strlcpy(user->host, newip, 16); - strlcpy(user->dhost, newip, 16); - strlcpy(user->ident, "~cgiirc", 8);*/ - return true; + return MOD_RES_PASSTHRU; } - - bool IsValidHost(const std::string &host) + + ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE { - if(!host.size()) - return false; - - for(unsigned int i = 0; i < host.size(); i++) + // There is no need to check for gateways if one is already being used. + if (cmdwebirc.realhost.get(user)) + return MOD_RES_PASSTHRU; + + for (std::vector::const_iterator iter = hosts.begin(); iter != hosts.end(); ++iter) { - if( ((host[i] >= '0') && (host[i] <= '9')) || - ((host[i] >= 'A') && (host[i] <= 'Z')) || - ((host[i] >= 'a') && (host[i] <= 'z')) || - ((host[i] == '-') && (i > 0) && (i+1 < host.size()) && (host[i-1] != '.') && (host[i+1] != '.')) || - ((host[i] == '.') && (i > 0) && (i+1 < host.size())) ) - + // If we don't match the host then skip to the next host. + if (!iter->Matches(user)) continue; - else - return false; + + // We have matched an block! Try to parse the encoded IPv4 address + // out of the ident. + irc::sockets::sockaddrs address(user->client_sa); + if (!CommandHexIP::ParseIP(user->ident, address)) + return MOD_RES_PASSTHRU; + + // Store the hostname and IP of the gateway for later use. + cmdwebirc.realhost.set(user, user->GetRealHost()); + cmdwebirc.realip.set(user, user->GetIPString()); + + const std::string& newident = iter->GetIdent(); + cmdwebirc.WriteLog("Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.", + user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str()); + + user->ChangeIdent(newident); + user->SetClientIP(address); + break; } - - return true; + return MOD_RES_PASSTHRU; } - bool IsValidIP(const std::string &ip) + void OnWebIRCAuth(LocalUser* user, const WebIRC::FlagMap* flags) CXX11_OVERRIDE { - if(ip.size() < 7 || ip.size() > 15) - return false; - - short sincedot = 0; - short dots = 0; - - for(unsigned int i = 0; i < ip.size(); i++) + // We are only interested in connection flags. If none have been + // given then we have nothing to do. + if (!flags) + return; + + WebIRC::FlagMap::const_iterator cport = flags->find("remote-port"); + if (cport != flags->end()) { - if((dots <= 3) && (sincedot <= 3)) + // If we can't parse the port then just give up. + uint16_t port = ConvToNum(cport->second); + if (port) { - if((ip[i] >= '0') && (ip[i] <= '9')) + switch (user->client_sa.family()) { - sincedot++; - } - else if(ip[i] == '.') - { - sincedot = 0; - dots++; + case AF_INET: + user->client_sa.in4.sin_port = htons(port); + break; + + case AF_INET6: + user->client_sa.in6.sin6_port = htons(port); + break; + + default: + // If we have reached this point then we have encountered a bug. + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!", + user->uuid.c_str(), user->client_sa.family()); + return; } } - else + } + + WebIRC::FlagMap::const_iterator sport = flags->find("local-port"); + if (sport != flags->end()) + { + // If we can't parse the port then just give up. + uint16_t port = ConvToNum(sport->second); + if (port) { - return false; - + switch (user->server_sa.family()) + { + case AF_INET: + user->server_sa.in4.sin_port = htons(port); + break; + + case AF_INET6: + user->server_sa.in6.sin6_port = htons(port); + break; + + default: + // If we have reached this point then we have encountered a bug. + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!", + user->uuid.c_str(), user->server_sa.family()); + return; + } } } - - if(dots != 3) - return false; - - return true; } - - bool HexToInt(int &out, const char* in) - { - char ip[3]; - ip[0] = in[0]; - ip[1] = in[1]; - ip[2] = 0; - out = strtol(ip, NULL, 16); - - if(out > 255 || out < 0) - return false; - return true; - } - - virtual ~ModuleCgiIRC() + void OnWhois(Whois::Context& whois) CXX11_OVERRIDE { + if (!whois.IsSelfWhois() && !whois.GetSource()->HasPrivPermission("users/auspex")) + return; + + // If these fields are not set then the client is not using a gateway. + const std::string* realhost = cmdwebirc.realhost.get(whois.GetTarget()); + const std::string* realip = cmdwebirc.realip.get(whois.GetTarget()); + if (!realhost || !realip) + return; + + const std::string* gateway = cmdwebirc.gateway.get(whois.GetTarget()); + if (gateway) + whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via the " + *gateway + " WebIRC gateway"); + else + whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via an ident gateway"); } - - virtual Version GetVersion() + + Version GetVersion() CXX11_OVERRIDE { - return Version(1,1,0,0,VF_VENDOR,API_VERSION); + return Version("Adds the ability for IRC gateways to forward the real IP address of users connecting through them.", VF_VENDOR); } - }; MODULE_INIT(ModuleCgiIRC)