From 6d205fc3fb8d9d7d8d2fc569002bae2f12eb3de9 Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Sun, 11 Apr 2021 18:34:08 +0100 Subject: Rename the cgiirc module to gateway. --- src/modules/m_cgiirc.cpp | 534 ---------------------------------------------- src/modules/m_dnsbl.cpp | 3 - src/modules/m_gateway.cpp | 534 ++++++++++++++++++++++++++++++++++++++++++++++ src/modules/m_rline.cpp | 2 +- 4 files changed, 535 insertions(+), 538 deletions(-) delete mode 100644 src/modules/m_cgiirc.cpp create mode 100644 src/modules/m_gateway.cpp (limited to 'src') diff --git a/src/modules/m_cgiirc.cpp b/src/modules/m_cgiirc.cpp deleted file mode 100644 index b05f110c0..000000000 --- a/src/modules/m_cgiirc.cpp +++ /dev/null @@ -1,534 +0,0 @@ -/* - * InspIRCd -- Internet Relay Chat Daemon - * - * Copyright (C) 2019 linuxdaemon - * Copyright (C) 2014 md_5 - * Copyright (C) 2014 Googolplexed - * Copyright (C) 2013, 2017-2018, 2020-2021 Sadie Powell - * Copyright (C) 2013 Adam - * Copyright (C) 2012-2013, 2015 Attila Molnar - * Copyright (C) 2012, 2019 Robby - * Copyright (C) 2009-2010 Daniel De Graaf - * Copyright (C) 2009 Uli Schlachter - * Copyright (C) 2007-2009 Robin Burchell - * Copyright (C) 2007 Dennis Friis - * Copyright (C) 2006-2007, 2010 Craig Edwards - * - * This file is part of InspIRCd. InspIRCd is free software: you can - * redistribute it and/or modify it under the terms of the GNU General Public - * License as published by the Free Software Foundation, version 2. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - - -#include "inspircd.h" -#include "modules/extban.h" -#include "modules/ssl.h" -#include "modules/webirc.h" -#include "modules/whois.h" - -enum -{ - // InspIRCd-specific. - RPL_WHOISGATEWAY = 350 -}; - -// One or more hostmask globs or CIDR ranges. -typedef std::vector MaskList; - -// Encapsulates information about an ident host. -class IdentHost -{ - private: - MaskList hostmasks; - std::string newident; - - public: - IdentHost(const MaskList& masks, const std::string& ident) - : hostmasks(masks) - , newident(ident) - { - } - - const std::string& GetIdent() const - { - return newident; - } - - bool Matches(LocalUser* user) const - { - for (const auto& mask : hostmasks) - { - // Does the user's hostname match this hostmask? - if (InspIRCd::Match(user->GetRealHost(), mask, ascii_case_insensitive_map)) - return true; - - // Does the user's IP address match this hostmask? - if (InspIRCd::MatchCIDR(user->GetIPString(), mask, ascii_case_insensitive_map)) - return true; - } - - // The user didn't match any hostmasks. - return false; - } -}; - -// Encapsulates information about a WebIRC host. -class WebIRCHost -{ - private: - MaskList hostmasks; - std::string fingerprint; - std::string password; - std::string passhash; - - public: - WebIRCHost(const MaskList& masks, const std::string& fp, const std::string& pass, const std::string& hash) - : hostmasks(masks) - , fingerprint(fp) - , password(pass) - , passhash(hash) - { - } - - bool Matches(LocalUser* user, const std::string& pass, UserCertificateAPI& sslapi) const - { - // Did the user send a valid password? - if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash)) - return false; - - // Does the user have a valid fingerprint? - const std::string fp = sslapi ? sslapi->GetFingerprint(user) : ""; - if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint)) - return false; - - for (const auto& mask : hostmasks) - { - // Does the user's hostname match this hostmask? - if (InspIRCd::Match(user->GetRealHost(), mask, ascii_case_insensitive_map)) - return true; - - // Does the user's IP address match this hostmask? - if (InspIRCd::MatchCIDR(user->GetIPString(), mask, ascii_case_insensitive_map)) - return true; - } - - // The user didn't match any hostmasks. - return false; - } -}; - -class CommandHexIP : public SplitCommand -{ - public: - CommandHexIP(Module* Creator) - : SplitCommand(Creator, "HEXIP", 1) - { - allow_empty_last_param = false; - Penalty = 2; - syntax = { "" }; - } - - CmdResult HandleLocal(LocalUser* user, const Params& parameters) override - { - irc::sockets::sockaddrs sa; - if (irc::sockets::aptosa(parameters[0], 0, sa)) - { - if (sa.family() != AF_INET) - { - user->WriteNotice("*** HEXIP: You can only hex encode an IPv4 address!"); - return CmdResult::FAILURE; - } - - uint32_t addr = sa.in4.sin_addr.s_addr; - user->WriteNotice(InspIRCd::Format("*** HEXIP: %s encodes to %02x%02x%02x%02x.", - sa.addr().c_str(), (addr & 0xFF), ((addr >> 8) & 0xFF), ((addr >> 16) & 0xFF), - ((addr >> 24) & 0xFF))); - return CmdResult::SUCCESS; - } - - if (ParseIP(parameters[0], sa)) - { - user->WriteNotice(InspIRCd::Format("*** HEXIP: %s decodes to %s.", - parameters[0].c_str(), sa.addr().c_str())); - return CmdResult::SUCCESS; - } - - user->WriteNotice(InspIRCd::Format("*** HEXIP: %s is not a valid raw or hex encoded IPv4 address.", - parameters[0].c_str())); - return CmdResult::FAILURE; - } - - static bool ParseIP(const std::string& in, irc::sockets::sockaddrs& out) - { - const char* ident = NULL; - if (in.length() == 8) - { - // The ident is an IPv4 address encoded in hexadecimal with two characters - // per address segment. - ident = in.c_str(); - } - else if (in.length() == 9 && in[0] == '~') - { - // The same as above but m_ident got to this user before we did. Strip the - // ident prefix and continue as normal. - ident = in.c_str() + 1; - } - else - { - // The user either does not have an IPv4 in their ident or the gateway server - // is also running an identd. In the latter case there isn't really a lot we - // can do so we just assume that the client in question is not connecting via - // an ident gateway. - return false; - } - - // Try to convert the IP address to a string. If this fails then the user - // does not have an IPv4 address in their ident. - errno = 0; - unsigned long address = strtoul(ident, NULL, 16); - if (errno) - return false; - - out.in4.sin_family = AF_INET; - out.in4.sin_addr.s_addr = htonl(address); - return true; - } -}; - -class GatewayExtBan - : public ExtBan::MatchingBase -{ - public: - StringExtItem gateway; - - GatewayExtBan(Module* Creator) - : ExtBan::MatchingBase(Creator, "gateway", 'w') - , gateway(Creator, "cgiirc_gateway", ExtensionItem::EXT_USER, true) - { - } - - bool IsMatch(User* user, Channel* channel, const std::string& text) override - { - const std::string* gatewayname = gateway.Get(user); - return gatewayname ? InspIRCd::Match(*gatewayname, text) : false; - } -}; - -class CommandWebIRC : public SplitCommand -{ - public: - std::vector hosts; - GatewayExtBan extban; - StringExtItem realhost; - StringExtItem realip; - UserCertificateAPI sslapi; - Events::ModuleEventProvider webircevprov; - - CommandWebIRC(Module* Creator) - : SplitCommand(Creator, "WEBIRC", 4) - , extban(Creator) - , realhost(Creator, "cgiirc_realhost", ExtensionItem::EXT_USER, true) - , realip(Creator, "cgiirc_realip", ExtensionItem::EXT_USER, true) - , sslapi(Creator) - , webircevprov(Creator, "event/webirc") - { - allow_empty_last_param = false; - works_before_reg = true; - syntax = { " []" }; - } - - CmdResult HandleLocal(LocalUser* user, const Params& parameters) override - { - if (user->registered == REG_ALL || realhost.Get(user)) - return CmdResult::FAILURE; - - for (const auto& host : hosts) - { - // If we don't match the host then skip to the next host. - if (!host.Matches(user, parameters[0], sslapi)) - continue; - - irc::sockets::sockaddrs ipaddr; - if (!irc::sockets::aptosa(parameters[3], user->client_sa.port(), ipaddr)) - { - ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s (%s) tried to use WEBIRC but gave an invalid IP address.", - user->uuid.c_str(), user->GetIPString().c_str()); - ServerInstance->Users.QuitUser(user, "WEBIRC: IP address is invalid: " + parameters[3]); - return CmdResult::FAILURE; - } - - // The user matched a WebIRC block! - extban.gateway.Set(user, parameters[1]); - realhost.Set(user, user->GetRealHost()); - realip.Set(user, user->GetIPString()); - - ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s is using the %s WebIRC gateway; changing their IP from %s to %s.", - user->uuid.c_str(), parameters[1].c_str(), - user->GetIPString().c_str(), parameters[3].c_str()); - - // If we have custom flags then deal with them. - WebIRC::FlagMap flags; - const bool hasflags = (parameters.size() > 4); - if (hasflags) - { - // Parse the flags. - irc::spacesepstream flagstream(parameters[4]); - for (std::string flag; flagstream.GetToken(flag); ) - { - // Does this flag have a value? - const size_t separator = flag.find('='); - if (separator == std::string::npos) - { - flags[flag]; - continue; - } - - // The flag has a value! - const std::string key = flag.substr(0, separator); - const std::string value = flag.substr(separator + 1); - flags[key] = value; - } - } - - // Inform modules about the WebIRC attempt. - webircevprov.Call(&WebIRC::EventListener::OnWebIRCAuth, user, (hasflags ? &flags : nullptr)); - - // Set the IP address sent via WEBIRC. We ignore the hostname and lookup - // instead do our own DNS lookups because of unreliable gateways. - user->SetClientIP(ipaddr); - return CmdResult::SUCCESS; - } - - ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s (%s) tried to use WEBIRC but didn't match any configured WebIRC hosts.", - user->uuid.c_str(), user->GetIPString().c_str()); - ServerInstance->Users.QuitUser(user, "WEBIRC: you don't match any configured WebIRC hosts."); - return CmdResult::FAILURE; - } -}; - -class ModuleCgiIRC - : public Module - , public WebIRC::EventListener - , public Whois::EventListener -{ - private: - CommandHexIP cmdhexip; - CommandWebIRC cmdwebirc; - std::vector hosts; - - public: - ModuleCgiIRC() - : Module(VF_VENDOR, "Adds the ability for IRC gateways to forward the real IP address of users connecting through them.") - , WebIRC::EventListener(this) - , Whois::EventListener(this) - , cmdhexip(this) - , cmdwebirc(this) - { - } - - void init() override - { - ServerInstance->SNO.EnableSnomask('w', "CGIIRC"); - } - - void ReadConfig(ConfigStatus& status) override - { - std::vector identhosts; - std::vector webirchosts; - - for (const auto& [_, tag] : ServerInstance->Config->ConfTags("cgihost")) - { - MaskList masks; - irc::spacesepstream maskstream(tag->getString("mask")); - for (std::string mask; maskstream.GetToken(mask); ) - masks.push_back(mask); - - // Ensure that we have the parameter. - if (masks.empty()) - throw ModuleException(" is a mandatory field, at " + tag->source.str()); - - // Determine what lookup type this host uses. - const std::string type = tag->getString("type"); - if (stdalgo::string::equalsci(type, "ident")) - { - // The IP address should be looked up from the hex IP address. - const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent); - identhosts.emplace_back(masks, newident); - } - else if (stdalgo::string::equalsci(type, "webirc")) - { - // The IP address will be received via the WEBIRC command. - const std::string fingerprint = tag->getString("fingerprint"); - const std::string password = tag->getString("password"); - const std::string passwordhash = tag->getString("hash", "plaintext", 1); - - // WebIRC blocks require a password. - if (fingerprint.empty() && password.empty()) - throw ModuleException("When using either the fingerprint or password field is required, at " + tag->source.str()); - - if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext")) - { - ServerInstance->Logs.Log(MODNAME, LOG_DEFAULT, " tag at %s contains an plain text password, this is insecure!", - tag->source.str().c_str()); - } - - webirchosts.emplace_back(masks, fingerprint, password, passwordhash); - } - else - { - throw ModuleException(type + " is an invalid type, at " + tag->source.str()); - } - } - - // The host configuration was valid so we can apply it. - hosts.swap(identhosts); - cmdwebirc.hosts.swap(webirchosts); - } - - ModResult OnSetConnectClass(LocalUser* user, std::shared_ptr myclass) override - { - // If is not set then we have nothing to do. - const std::string webirc = myclass->config->getString("webirc"); - if (webirc.empty()) - return MOD_RES_PASSTHRU; - - // If the user is not connecting via a WebIRC gateway then they - // cannot match this connect class. - const std::string* gateway = cmdwebirc.extban.gateway.Get(user); - if (!gateway) - { - ServerInstance->Logs.Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires a connection via a WebIRC gateway", - myclass->GetName().c_str()); - return MOD_RES_DENY; - } - - // If the gateway matches the constraint then - // allow the check to continue. Otherwise, reject it. - if (!InspIRCd::Match(*gateway, webirc)) - { - ServerInstance->Logs.Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s", - myclass->GetName().c_str(), gateway->c_str(), webirc.c_str()); - return MOD_RES_DENY; - } - - return MOD_RES_PASSTHRU; - } - - ModResult OnUserRegister(LocalUser* user) override - { - // There is no need to check for gateways if one is already being used. - if (cmdwebirc.realhost.Get(user)) - return MOD_RES_PASSTHRU; - - for (const auto& host : hosts) - { - // If we don't match the host then skip to the next host. - if (!host.Matches(user)) - continue; - - // We have matched an block! Try to parse the encoded IPv4 address - // out of the ident. - irc::sockets::sockaddrs address(user->client_sa); - if (!CommandHexIP::ParseIP(user->ident, address)) - return MOD_RES_PASSTHRU; - - // Store the hostname and IP of the gateway for later use. - cmdwebirc.realhost.Set(user, user->GetRealHost()); - cmdwebirc.realip.Set(user, user->GetIPString()); - - const std::string& newident = host.GetIdent(); - ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.", - user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str()); - - user->ChangeIdent(newident); - user->SetClientIP(address); - break; - } - return MOD_RES_PASSTHRU; - } - - void OnWebIRCAuth(LocalUser* user, const WebIRC::FlagMap* flags) override - { - // We are only interested in connection flags. If none have been - // given then we have nothing to do. - if (!flags) - return; - - WebIRC::FlagMap::const_iterator cport = flags->find("remote-port"); - if (cport != flags->end()) - { - // If we can't parse the port then just give up. - uint16_t port = ConvToNum(cport->second); - if (port) - { - switch (user->client_sa.family()) - { - case AF_INET: - user->client_sa.in4.sin_port = htons(port); - break; - - case AF_INET6: - user->client_sa.in6.sin6_port = htons(port); - break; - - default: - // If we have reached this point then we have encountered a bug. - ServerInstance->Logs.Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!", - user->uuid.c_str(), user->client_sa.family()); - return; - } - } - } - - WebIRC::FlagMap::const_iterator sport = flags->find("local-port"); - if (sport != flags->end()) - { - // If we can't parse the port then just give up. - uint16_t port = ConvToNum(sport->second); - if (port) - { - switch (user->server_sa.family()) - { - case AF_INET: - user->server_sa.in4.sin_port = htons(port); - break; - - case AF_INET6: - user->server_sa.in6.sin6_port = htons(port); - break; - - default: - // If we have reached this point then we have encountered a bug. - ServerInstance->Logs.Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!", - user->uuid.c_str(), user->server_sa.family()); - return; - } - } - } - } - - void OnWhois(Whois::Context& whois) override - { - // If these fields are not set then the client is not using a gateway. - const std::string* realhost = cmdwebirc.realhost.Get(whois.GetTarget()); - const std::string* realip = cmdwebirc.realip.Get(whois.GetTarget()); - if (!realhost || !realip) - return; - - const std::string* gateway = cmdwebirc.extban.gateway.Get(whois.GetTarget()); - if (gateway) - whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via the " + *gateway + " WebIRC gateway"); - else - whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via an ident gateway"); - } -}; - -MODULE_INIT(ModuleCgiIRC) diff --git a/src/modules/m_dnsbl.cpp b/src/modules/m_dnsbl.cpp index 85c756f40..6a050f1af 100644 --- a/src/modules/m_dnsbl.cpp +++ b/src/modules/m_dnsbl.cpp @@ -57,9 +57,6 @@ class DNSBLConfEntry } }; - -/** Resolver for CGI:IRC hostnames encoded in ident/real name - */ class DNSBLResolver : public DNS::Request { private: diff --git a/src/modules/m_gateway.cpp b/src/modules/m_gateway.cpp new file mode 100644 index 000000000..9484e1bb9 --- /dev/null +++ b/src/modules/m_gateway.cpp @@ -0,0 +1,534 @@ +/* + * InspIRCd -- Internet Relay Chat Daemon + * + * Copyright (C) 2019 linuxdaemon + * Copyright (C) 2014 md_5 + * Copyright (C) 2014 Googolplexed + * Copyright (C) 2013, 2017-2018, 2020-2021 Sadie Powell + * Copyright (C) 2013 Adam + * Copyright (C) 2012-2013, 2015 Attila Molnar + * Copyright (C) 2012, 2019 Robby + * Copyright (C) 2009-2010 Daniel De Graaf + * Copyright (C) 2009 Uli Schlachter + * Copyright (C) 2007-2009 Robin Burchell + * Copyright (C) 2007 Dennis Friis + * Copyright (C) 2006-2007, 2010 Craig Edwards + * + * This file is part of InspIRCd. InspIRCd is free software: you can + * redistribute it and/or modify it under the terms of the GNU General Public + * License as published by the Free Software Foundation, version 2. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + + +#include "inspircd.h" +#include "modules/extban.h" +#include "modules/ssl.h" +#include "modules/webirc.h" +#include "modules/whois.h" + +enum +{ + // InspIRCd-specific. + RPL_WHOISGATEWAY = 350 +}; + +// One or more hostmask globs or CIDR ranges. +typedef std::vector MaskList; + +// Encapsulates information about an ident host. +class IdentHost +{ + private: + MaskList hostmasks; + std::string newident; + + public: + IdentHost(const MaskList& masks, const std::string& ident) + : hostmasks(masks) + , newident(ident) + { + } + + const std::string& GetIdent() const + { + return newident; + } + + bool Matches(LocalUser* user) const + { + for (const auto& mask : hostmasks) + { + // Does the user's hostname match this hostmask? + if (InspIRCd::Match(user->GetRealHost(), mask, ascii_case_insensitive_map)) + return true; + + // Does the user's IP address match this hostmask? + if (InspIRCd::MatchCIDR(user->GetIPString(), mask, ascii_case_insensitive_map)) + return true; + } + + // The user didn't match any hostmasks. + return false; + } +}; + +// Encapsulates information about a WebIRC host. +class WebIRCHost +{ + private: + MaskList hostmasks; + std::string fingerprint; + std::string password; + std::string passhash; + + public: + WebIRCHost(const MaskList& masks, const std::string& fp, const std::string& pass, const std::string& hash) + : hostmasks(masks) + , fingerprint(fp) + , password(pass) + , passhash(hash) + { + } + + bool Matches(LocalUser* user, const std::string& pass, UserCertificateAPI& sslapi) const + { + // Did the user send a valid password? + if (!password.empty() && !ServerInstance->PassCompare(user, password, pass, passhash)) + return false; + + // Does the user have a valid fingerprint? + const std::string fp = sslapi ? sslapi->GetFingerprint(user) : ""; + if (!fingerprint.empty() && !InspIRCd::TimingSafeCompare(fp, fingerprint)) + return false; + + for (const auto& mask : hostmasks) + { + // Does the user's hostname match this hostmask? + if (InspIRCd::Match(user->GetRealHost(), mask, ascii_case_insensitive_map)) + return true; + + // Does the user's IP address match this hostmask? + if (InspIRCd::MatchCIDR(user->GetIPString(), mask, ascii_case_insensitive_map)) + return true; + } + + // The user didn't match any hostmasks. + return false; + } +}; + +class CommandHexIP : public SplitCommand +{ + public: + CommandHexIP(Module* Creator) + : SplitCommand(Creator, "HEXIP", 1) + { + allow_empty_last_param = false; + Penalty = 2; + syntax = { "" }; + } + + CmdResult HandleLocal(LocalUser* user, const Params& parameters) override + { + irc::sockets::sockaddrs sa; + if (irc::sockets::aptosa(parameters[0], 0, sa)) + { + if (sa.family() != AF_INET) + { + user->WriteNotice("*** HEXIP: You can only hex encode an IPv4 address!"); + return CmdResult::FAILURE; + } + + uint32_t addr = sa.in4.sin_addr.s_addr; + user->WriteNotice(InspIRCd::Format("*** HEXIP: %s encodes to %02x%02x%02x%02x.", + sa.addr().c_str(), (addr & 0xFF), ((addr >> 8) & 0xFF), ((addr >> 16) & 0xFF), + ((addr >> 24) & 0xFF))); + return CmdResult::SUCCESS; + } + + if (ParseIP(parameters[0], sa)) + { + user->WriteNotice(InspIRCd::Format("*** HEXIP: %s decodes to %s.", + parameters[0].c_str(), sa.addr().c_str())); + return CmdResult::SUCCESS; + } + + user->WriteNotice(InspIRCd::Format("*** HEXIP: %s is not a valid raw or hex encoded IPv4 address.", + parameters[0].c_str())); + return CmdResult::FAILURE; + } + + static bool ParseIP(const std::string& in, irc::sockets::sockaddrs& out) + { + const char* ident = NULL; + if (in.length() == 8) + { + // The ident is an IPv4 address encoded in hexadecimal with two characters + // per address segment. + ident = in.c_str(); + } + else if (in.length() == 9 && in[0] == '~') + { + // The same as above but m_ident got to this user before we did. Strip the + // ident prefix and continue as normal. + ident = in.c_str() + 1; + } + else + { + // The user either does not have an IPv4 in their ident or the gateway server + // is also running an identd. In the latter case there isn't really a lot we + // can do so we just assume that the client in question is not connecting via + // an ident gateway. + return false; + } + + // Try to convert the IP address to a string. If this fails then the user + // does not have an IPv4 address in their ident. + errno = 0; + unsigned long address = strtoul(ident, NULL, 16); + if (errno) + return false; + + out.in4.sin_family = AF_INET; + out.in4.sin_addr.s_addr = htonl(address); + return true; + } +}; + +class GatewayExtBan + : public ExtBan::MatchingBase +{ + public: + StringExtItem gateway; + + GatewayExtBan(Module* Creator) + : ExtBan::MatchingBase(Creator, "gateway", 'w') + , gateway(Creator, "webirc-gateway", ExtensionItem::EXT_USER, true) + { + } + + bool IsMatch(User* user, Channel* channel, const std::string& text) override + { + const std::string* gatewayname = gateway.Get(user); + return gatewayname ? InspIRCd::Match(*gatewayname, text) : false; + } +}; + +class CommandWebIRC : public SplitCommand +{ + public: + std::vector hosts; + GatewayExtBan extban; + StringExtItem realhost; + StringExtItem realip; + UserCertificateAPI sslapi; + Events::ModuleEventProvider webircevprov; + + CommandWebIRC(Module* Creator) + : SplitCommand(Creator, "WEBIRC", 4) + , extban(Creator) + , realhost(Creator, "gateway-realhost", ExtensionItem::EXT_USER, true) + , realip(Creator, "gateway-realip", ExtensionItem::EXT_USER, true) + , sslapi(Creator) + , webircevprov(Creator, "event/webirc") + { + allow_empty_last_param = false; + works_before_reg = true; + syntax = { " []" }; + } + + CmdResult HandleLocal(LocalUser* user, const Params& parameters) override + { + if (user->registered == REG_ALL || realhost.Get(user)) + return CmdResult::FAILURE; + + for (const auto& host : hosts) + { + // If we don't match the host then skip to the next host. + if (!host.Matches(user, parameters[0], sslapi)) + continue; + + irc::sockets::sockaddrs ipaddr; + if (!irc::sockets::aptosa(parameters[3], user->client_sa.port(), ipaddr)) + { + ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s (%s) tried to use WEBIRC but gave an invalid IP address.", + user->uuid.c_str(), user->GetIPString().c_str()); + ServerInstance->Users.QuitUser(user, "WEBIRC: IP address is invalid: " + parameters[3]); + return CmdResult::FAILURE; + } + + // The user matched a WebIRC block! + extban.gateway.Set(user, parameters[1]); + realhost.Set(user, user->GetRealHost()); + realip.Set(user, user->GetIPString()); + + ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s is using the %s WebIRC gateway; changing their IP from %s to %s.", + user->uuid.c_str(), parameters[1].c_str(), + user->GetIPString().c_str(), parameters[3].c_str()); + + // If we have custom flags then deal with them. + WebIRC::FlagMap flags; + const bool hasflags = (parameters.size() > 4); + if (hasflags) + { + // Parse the flags. + irc::spacesepstream flagstream(parameters[4]); + for (std::string flag; flagstream.GetToken(flag); ) + { + // Does this flag have a value? + const size_t separator = flag.find('='); + if (separator == std::string::npos) + { + flags[flag]; + continue; + } + + // The flag has a value! + const std::string key = flag.substr(0, separator); + const std::string value = flag.substr(separator + 1); + flags[key] = value; + } + } + + // Inform modules about the WebIRC attempt. + webircevprov.Call(&WebIRC::EventListener::OnWebIRCAuth, user, (hasflags ? &flags : nullptr)); + + // Set the IP address sent via WEBIRC. We ignore the hostname and lookup + // instead do our own DNS lookups because of unreliable gateways. + user->SetClientIP(ipaddr); + return CmdResult::SUCCESS; + } + + ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s (%s) tried to use WEBIRC but didn't match any configured WebIRC hosts.", + user->uuid.c_str(), user->GetIPString().c_str()); + ServerInstance->Users.QuitUser(user, "WEBIRC: you don't match any configured WebIRC hosts."); + return CmdResult::FAILURE; + } +}; + +class ModuleGateway + : public Module + , public WebIRC::EventListener + , public Whois::EventListener +{ + private: + CommandHexIP cmdhexip; + CommandWebIRC cmdwebirc; + std::vector hosts; + + public: + ModuleGateway() + : Module(VF_VENDOR, "Adds the ability for IRC gateways to forward the real IP address of users connecting through them.") + , WebIRC::EventListener(this) + , Whois::EventListener(this) + , cmdhexip(this) + , cmdwebirc(this) + { + } + + void init() override + { + ServerInstance->SNO.EnableSnomask('w', "GATEWAY"); + } + + void ReadConfig(ConfigStatus& status) override + { + std::vector identhosts; + std::vector webirchosts; + + for (const auto& [_, tag] : ServerInstance->Config->ConfTags("gateway", ServerInstance->Config->ConfTags("cgihost"))) + { + MaskList masks; + irc::spacesepstream maskstream(tag->getString("mask")); + for (std::string mask; maskstream.GetToken(mask); ) + masks.push_back(mask); + + // Ensure that we have the parameter. + if (masks.empty()) + throw ModuleException("<" + tag->name + ":mask> is a mandatory field, at " + tag->source.str()); + + // Determine what lookup type this host uses. + const std::string type = tag->getString("type"); + if (stdalgo::string::equalsci(type, "ident")) + { + // The IP address should be looked up from the hex IP address. + const std::string newident = tag->getString("newident", "gateway", ServerInstance->IsIdent); + identhosts.emplace_back(masks, newident); + } + else if (stdalgo::string::equalsci(type, "webirc")) + { + // The IP address will be received via the WEBIRC command. + const std::string fingerprint = tag->getString("fingerprint"); + const std::string password = tag->getString("password"); + const std::string passwordhash = tag->getString("hash", "plaintext", 1); + + // WebIRC blocks require a password. + if (fingerprint.empty() && password.empty()) + throw ModuleException("When using <" + tag->name + " type=\"webirc\"> either the fingerprint or password field is required, at " + tag->source.str()); + + if (!password.empty() && stdalgo::string::equalsci(passwordhash, "plaintext")) + { + ServerInstance->Logs.Log(MODNAME, LOG_DEFAULT, "<" + tag->name + "> tag at %s contains an plain text password, this is insecure!", + tag->source.str().c_str()); + } + + webirchosts.emplace_back(masks, fingerprint, password, passwordhash); + } + else + { + throw ModuleException(type + " is an invalid <" + tag->name + ":mask> type, at " + tag->source.str()); + } + } + + // The host configuration was valid so we can apply it. + hosts.swap(identhosts); + cmdwebirc.hosts.swap(webirchosts); + } + + ModResult OnSetConnectClass(LocalUser* user, std::shared_ptr myclass) override + { + // If is not set then we have nothing to do. + const std::string webirc = myclass->config->getString("webirc"); + if (webirc.empty()) + return MOD_RES_PASSTHRU; + + // If the user is not connecting via a WebIRC gateway then they + // cannot match this connect class. + const std::string* gateway = cmdwebirc.extban.gateway.Get(user); + if (!gateway) + { + ServerInstance->Logs.Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as it requires a connection via a WebIRC gateway", + myclass->GetName().c_str()); + return MOD_RES_DENY; + } + + // If the gateway matches the constraint then + // allow the check to continue. Otherwise, reject it. + if (!InspIRCd::Match(*gateway, webirc)) + { + ServerInstance->Logs.Log("CONNECTCLASS", LOG_DEBUG, "The %s connect class is not suitable as the WebIRC gateway name (%s) does not match %s", + myclass->GetName().c_str(), gateway->c_str(), webirc.c_str()); + return MOD_RES_DENY; + } + + return MOD_RES_PASSTHRU; + } + + ModResult OnUserRegister(LocalUser* user) override + { + // There is no need to check for gateways if one is already being used. + if (cmdwebirc.realhost.Get(user)) + return MOD_RES_PASSTHRU; + + for (const auto& host : hosts) + { + // If we don't match the host then skip to the next host. + if (!host.Matches(user)) + continue; + + // We have matched an gateway block! Try to parse the encoded IPv4 address + // out of the ident. + irc::sockets::sockaddrs address(user->client_sa); + if (!CommandHexIP::ParseIP(user->ident, address)) + return MOD_RES_PASSTHRU; + + // Store the hostname and IP of the gateway for later use. + cmdwebirc.realhost.Set(user, user->GetRealHost()); + cmdwebirc.realip.Set(user, user->GetIPString()); + + const std::string& newident = host.GetIdent(); + ServerInstance->SNO.WriteGlobalSno('w', "Connecting user %s is using an ident gateway; changing their IP from %s to %s and their ident from %s to %s.", + user->uuid.c_str(), user->GetIPString().c_str(), address.addr().c_str(), user->ident.c_str(), newident.c_str()); + + user->ChangeIdent(newident); + user->SetClientIP(address); + break; + } + return MOD_RES_PASSTHRU; + } + + void OnWebIRCAuth(LocalUser* user, const WebIRC::FlagMap* flags) override + { + // We are only interested in connection flags. If none have been + // given then we have nothing to do. + if (!flags) + return; + + WebIRC::FlagMap::const_iterator cport = flags->find("remote-port"); + if (cport != flags->end()) + { + // If we can't parse the port then just give up. + uint16_t port = ConvToNum(cport->second); + if (port) + { + switch (user->client_sa.family()) + { + case AF_INET: + user->client_sa.in4.sin_port = htons(port); + break; + + case AF_INET6: + user->client_sa.in6.sin6_port = htons(port); + break; + + default: + // If we have reached this point then we have encountered a bug. + ServerInstance->Logs.Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!", + user->uuid.c_str(), user->client_sa.family()); + return; + } + } + } + + WebIRC::FlagMap::const_iterator sport = flags->find("local-port"); + if (sport != flags->end()) + { + // If we can't parse the port then just give up. + uint16_t port = ConvToNum(sport->second); + if (port) + { + switch (user->server_sa.family()) + { + case AF_INET: + user->server_sa.in4.sin_port = htons(port); + break; + + case AF_INET6: + user->server_sa.in6.sin6_port = htons(port); + break; + + default: + // If we have reached this point then we have encountered a bug. + ServerInstance->Logs.Log(MODNAME, LOG_DEBUG, "BUG: OnWebIRCAuth(%s): socket type %d is unknown!", + user->uuid.c_str(), user->server_sa.family()); + return; + } + } + } + } + + void OnWhois(Whois::Context& whois) override + { + // If these fields are not set then the client is not using a gateway. + const std::string* realhost = cmdwebirc.realhost.Get(whois.GetTarget()); + const std::string* realip = cmdwebirc.realip.Get(whois.GetTarget()); + if (!realhost || !realip) + return; + + const std::string* gateway = cmdwebirc.extban.gateway.Get(whois.GetTarget()); + if (gateway) + whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via the " + *gateway + " WebIRC gateway"); + else + whois.SendLine(RPL_WHOISGATEWAY, *realhost, *realip, "is connected via an ident gateway"); + } +}; + +MODULE_INIT(ModuleGateway) diff --git a/src/modules/m_rline.cpp b/src/modules/m_rline.cpp index fe9bd7e48..a59eb00b0 100644 --- a/src/modules/m_rline.cpp +++ b/src/modules/m_rline.cpp @@ -338,7 +338,7 @@ class ModuleRLine void Prioritize() override { - Module* mod = ServerInstance->Modules.Find("cgiirc"); + Module* mod = ServerInstance->Modules.Find("gateway"); ServerInstance->Modules.SetPriority(this, I_OnUserRegister, PRIORITY_AFTER, mod); } }; -- cgit v1.3.1-10-gc9f91