X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_httpd_acl.cpp;h=270e8b007ec94ef93e18122594f8bc83f70b25cf;hb=b4a174ee9c32d62ea6bf010e837e8c5b1c3d36a3;hp=27231644026ac7d63d82878c3d11bc3f3212d05e;hpb=d24619c012b34d5a3d4cfb93e7bea3ff3d5721e7;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_httpd_acl.cpp b/src/modules/m_httpd_acl.cpp index 272316440..270e8b007 100644 --- a/src/modules/m_httpd_acl.cpp +++ b/src/modules/m_httpd_acl.cpp @@ -1,8 +1,13 @@ /* * InspIRCd -- Internet Relay Chat Daemon * + * Copyright (C) 2018-2019 linuxdaemon + * Copyright (C) 2013, 2017-2018, 2020 Sadie Powell + * Copyright (C) 2013, 2015 Attila Molnar + * Copyright (C) 2012, 2019 Robby * Copyright (C) 2009-2010 Daniel De Graaf - * Copyright (C) 2008 Craig Edwards + * Copyright (C) 2008, 2010 Craig Edwards + * Copyright (C) 2008 Robin Burchell * * This file is part of InspIRCd. InspIRCd is free software: you can * redistribute it and/or modify it under the terms of the GNU General Public @@ -20,7 +25,6 @@ #include "inspircd.h" #include "modules/httpd.h" -#include "protocol.h" class HTTPACL { @@ -37,21 +41,22 @@ class HTTPACL blacklist(set_blacklist) { } }; -class ModuleHTTPAccessList : public Module +class ModuleHTTPAccessList : public Module, public HTTPACLEventListener { - std::string stylesheet; + private: std::vector acl_list; HTTPdAPI API; public: - ModuleHTTPAccessList() - : API(this) + ModuleHTTPAccessList() + : HTTPACLEventListener(this) + , API(this) { } - void OnRehash(User* user) + void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE { - acl_list.clear(); + std::vector new_acls; ConfigTagList acls = ServerInstance->Config->ConfTags("httpdacl"); for (ConfigIter i = acls.first; i != acls.second; i++) { @@ -67,16 +72,16 @@ class ModuleHTTPAccessList : public Module while (sep.GetToken(type)) { - if (type == "password") + if (stdalgo::string::equalsci(type, "password")) { username = c->getString("username"); password = c->getString("password"); } - else if (type == "whitelist") + else if (stdalgo::string::equalsci(type, "whitelist")) { whitelist = c->getString("whitelist"); } - else if (type == "blacklist") + else if (stdalgo::string::equalsci(type, "blacklist")) { blacklist = c->getString("blacklist"); } @@ -89,20 +94,22 @@ class ModuleHTTPAccessList : public Module ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Read ACL: path=%s pass=%s whitelist=%s blacklist=%s", path.c_str(), password.c_str(), whitelist.c_str(), blacklist.c_str()); - acl_list.push_back(HTTPACL(path, username, password, whitelist, blacklist)); + new_acls.push_back(HTTPACL(path, username, password, whitelist, blacklist)); } + acl_list.swap(new_acls); } - void init() CXX11_OVERRIDE + void BlockAccess(HTTPRequest* http, unsigned int returnval, const std::string &extraheaderkey = "", const std::string &extraheaderval="") { - OnRehash(NULL); - } + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BlockAccess (%u)", returnval); - void BlockAccess(HTTPRequest* http, int returnval, const std::string &extraheaderkey = "", const std::string &extraheaderval="") - { - ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "BlockAccess (%d)", returnval); + std::stringstream data; + data << "" + << "

Error " << returnval << "

" + << "

Access to this resource is denied by an access control list.

" + << "

Please contact your IRC administrator.

" + << "Powered by InspIRCd"; - std::stringstream data("Access to this resource is denied by an access control list. Please contact your IRC administrator."); HTTPDocumentResponse response(this, *http, &data, returnval); response.headers.SetHeader("X-Powered-By", MODNAME); if (!extraheaderkey.empty()) @@ -110,16 +117,14 @@ class ModuleHTTPAccessList : public Module API->SendResponse(response); } - void OnEvent(Event& event) CXX11_OVERRIDE + bool IsAccessAllowed(HTTPRequest* http) { - if (event.id == "httpd_acl") { ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Handling httpd acl event"); - HTTPRequest* http = (HTTPRequest*)&event; for (std::vector::const_iterator this_acl = acl_list.begin(); this_acl != acl_list.end(); ++this_acl) { - if (InspIRCd::Match(http->GetURI(), this_acl->path, ascii_case_insensitive_map)) + if (InspIRCd::Match(http->GetPath(), this_acl->path, ascii_case_insensitive_map)) { if (!this_acl->blacklist.empty()) { @@ -132,9 +137,9 @@ class ModuleHTTPAccessList : public Module if (InspIRCd::Match(http->GetIP(), entry, ascii_case_insensitive_map)) { ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Denying access to blacklisted resource %s (matched by pattern %s) from ip %s (matched by entry %s)", - http->GetURI().c_str(), this_acl->path.c_str(), http->GetIP().c_str(), entry.c_str()); + http->GetPath().c_str(), this_acl->path.c_str(), http->GetIP().c_str(), entry.c_str()); BlockAccess(http, 403); - return; + return false; } } } @@ -154,16 +159,16 @@ class ModuleHTTPAccessList : public Module if (!allow_access) { ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Denying access to whitelisted resource %s (matched by pattern %s) from ip %s (Not in whitelist)", - http->GetURI().c_str(), this_acl->path.c_str(), http->GetIP().c_str()); + http->GetPath().c_str(), this_acl->path.c_str(), http->GetIP().c_str()); BlockAccess(http, 403); - return; + return false; } } if (!this_acl->password.empty() && !this_acl->username.empty()) { /* Password auth, first look to see if we have a basic authentication header */ ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Checking HTTP auth password for resource %s (matched by pattern %s) from ip %s, against username %s", - http->GetURI().c_str(), this_acl->path.c_str(), http->GetIP().c_str(), this_acl->username.c_str()); + http->GetPath().c_str(), this_acl->path.c_str(), http->GetIP().c_str(), this_acl->username.c_str()); if (http->headers->IsSet("Authorization")) { @@ -192,37 +197,56 @@ class ModuleHTTPAccessList : public Module if (user == this_acl->username && pass == this_acl->password) { ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: password and username match"); - return; + return true; } else + { /* Invalid password */ + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: password and username do not match"); BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\""); + } } else + { /* Malformed user:pass pair */ + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: password and username malformed"); BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\""); + } } else + { /* Unsupported authentication type */ + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: unsupported auth type: %s", authtype.c_str()); BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\""); + } } else { /* No password given at all, access denied */ + ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: password and username not sent"); BlockAccess(http, 401, "WWW-Authenticate", "Basic realm=\"Restricted Object\""); } + return false; } /* A path may only match one ACL (the first it finds in the config file) */ - return; + break; } } } + return true; + } + + ModResult OnHTTPACLCheck(HTTPRequest& req) CXX11_OVERRIDE + { + if (IsAccessAllowed(&req)) + return MOD_RES_PASSTHRU; + return MOD_RES_DENY; } Version GetVersion() CXX11_OVERRIDE { - return Version("Provides access control lists (passwording of resources, ip restrictions etc) to m_httpd.so dependent modules", VF_VENDOR); + return Version("Allows the server administrator to control who can access resources served over HTTP with the httpd module.", VF_VENDOR); } };