]>
Commit | Line | Data |
---|---|---|
2b0cc3d3 EM |
1 | /* authd/provider.c - authentication provider framework |
2 | * Copyright (c) 2016 Elizabeth Myers <elizabeth@interlinked.me> | |
3 | * | |
4 | * Permission to use, copy, modify, and/or distribute this software for any | |
5 | * purpose with or without fee is hereby granted, provided that the above | |
6 | * copyright notice and this permission notice is present in all copies. | |
7 | * | |
8 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
9 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
10 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
11 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |
12 | * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
13 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
14 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
15 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
16 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
17 | * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
18 | * POSSIBILITY OF SUCH DAMAGE. | |
19 | */ | |
20 | ||
89d22b9a EM |
21 | /* The basic design here is to have "authentication providers" that do things |
22 | * like query ident and blacklists and even open proxies. | |
2b0cc3d3 | 23 | * |
f7b37c1d EM |
24 | * Providers are registered in the auth_providers linked list. It is planned to |
25 | * use a bitmap to store provider ID's later. | |
2b0cc3d3 | 26 | * |
89d22b9a EM |
27 | * Providers can either return failure immediately, immediate acceptance, or do |
28 | * work in the background (calling set_provider to signal this). | |
2b0cc3d3 | 29 | * |
3e875f62 EM |
30 | * Provider-specific data for each client can be kept in an index of the data |
31 | * struct member (using the provider's ID). | |
2b0cc3d3 EM |
32 | * |
33 | * All providers must implement at a minimum a perform_provider function. You | |
34 | * don't have to implement the others if you don't need them. | |
35 | * | |
36 | * Providers may kick clients off by rejecting them. Upon rejection, all | |
37 | * providers are cancelled. They can also unconditionally accept them. | |
38 | * | |
39 | * When a provider is done and is neutral on accepting/rejecting a client, it | |
40 | * should call provider_done. Do NOT call this if you have accepted or rejected | |
41 | * the client. | |
42 | * | |
89d22b9a EM |
43 | * Eventually, stuff like *:line handling will be moved here, but that means we |
44 | * have to talk to bandb directly first. | |
45 | * | |
2b0cc3d3 EM |
46 | * --Elizafox, 9 March 2016 |
47 | */ | |
48 | ||
52d49164 | 49 | #include "stdinc.h" |
46d17a88 | 50 | #include "rb_dictionary.h" |
2b0cc3d3 EM |
51 | #include "authd.h" |
52 | #include "provider.h" | |
db821ee9 | 53 | #include "notice.h" |
2b0cc3d3 | 54 | |
15c49abb EM |
55 | static EVH provider_timeout_event; |
56 | ||
2b0cc3d3 EM |
57 | rb_dlink_list auth_providers; |
58 | ||
59 | /* Clients waiting */ | |
aba29d5a | 60 | rb_dictionary *auth_clients; |
2b0cc3d3 | 61 | |
15c49abb EM |
62 | static struct ev_entry *timeout_ev; |
63 | ||
2b0cc3d3 | 64 | /* Load a provider */ |
60374ac9 EM |
65 | void |
66 | load_provider(struct auth_provider *provider) | |
2b0cc3d3 | 67 | { |
3e875f62 | 68 | if(rb_dlink_list_length(&auth_providers) >= MAX_PROVIDERS) |
b2ede1aa | 69 | { |
c23f9755 EM |
70 | warn_opers(L_WARN, "provider: cannot load provider with id %d: maximum reached (%d)", |
71 | provider->id, MAX_PROVIDERS); | |
3e875f62 | 72 | return; |
b2ede1aa | 73 | } |
3e875f62 | 74 | |
a51487e0 EM |
75 | if(provider->opt_handlers != NULL) |
76 | { | |
77 | struct auth_opts_handler *handler; | |
78 | ||
79 | for(handler = provider->opt_handlers; handler->option != NULL; handler++) | |
80 | rb_dictionary_add(authd_option_handlers, handler->option, handler); | |
81 | } | |
82 | ||
ee7f9271 EM |
83 | if(provider->stats_handler.letter != '\0') |
84 | authd_stat_handlers[provider->stats_handler.letter] = provider->stats_handler.handler; | |
85 | ||
9f9ab5c2 EM |
86 | if(provider->init != NULL) |
87 | provider->init(); | |
88 | ||
53c04621 | 89 | rb_dlinkAddTail(provider, &provider->node, &auth_providers); |
2b0cc3d3 EM |
90 | } |
91 | ||
60374ac9 EM |
92 | void |
93 | unload_provider(struct auth_provider *provider) | |
2b0cc3d3 | 94 | { |
a51487e0 EM |
95 | if(provider->opt_handlers != NULL) |
96 | { | |
97 | struct auth_opts_handler *handler; | |
98 | ||
99 | for(handler = provider->opt_handlers; handler->option != NULL; handler++) | |
100 | rb_dictionary_delete(authd_option_handlers, handler->option); | |
101 | } | |
ee7f9271 EM |
102 | |
103 | if(provider->stats_handler.letter != '\0') | |
104 | authd_stat_handlers[provider->stats_handler.letter] = NULL; | |
105 | ||
9f9ab5c2 EM |
106 | if(provider->destroy != NULL) |
107 | provider->destroy(); | |
108 | ||
2b0cc3d3 EM |
109 | rb_dlinkDelete(&provider->node, &auth_providers); |
110 | } | |
111 | ||
112 | /* Initalise all providers */ | |
60374ac9 EM |
113 | void |
114 | init_providers(void) | |
2b0cc3d3 | 115 | { |
3e875f62 | 116 | auth_clients = rb_dictionary_create("pending auth clients", rb_uint32cmp); |
15c49abb | 117 | timeout_ev = rb_event_addish("provider_timeout_event", provider_timeout_event, NULL, 1); |
2b0cc3d3 EM |
118 | load_provider(&rdns_provider); |
119 | load_provider(&ident_provider); | |
f5586c3a | 120 | load_provider(&blacklist_provider); |
4e85459a | 121 | load_provider(&opm_provider); |
2b0cc3d3 EM |
122 | } |
123 | ||
124 | /* Terminate all providers */ | |
60374ac9 EM |
125 | void |
126 | destroy_providers(void) | |
2b0cc3d3 EM |
127 | { |
128 | rb_dlink_node *ptr; | |
aba29d5a | 129 | rb_dictionary_iter iter; |
3e875f62 | 130 | struct auth_client *auth; |
2b0cc3d3 EM |
131 | struct auth_provider *provider; |
132 | ||
133 | /* Cancel outstanding connections */ | |
a52c7a8e | 134 | RB_DICTIONARY_FOREACH(auth, &iter, auth_clients) |
2b0cc3d3 | 135 | { |
3e875f62 | 136 | /* TBD - is this the right thing? */ |
6535177f | 137 | reject_client(auth, -1, "destroy", "Authentication system is down... try reconnecting in a few seconds"); |
2b0cc3d3 EM |
138 | } |
139 | ||
140 | RB_DLINK_FOREACH(ptr, auth_providers.head) | |
141 | { | |
142 | provider = ptr->data; | |
143 | ||
144 | if(provider->destroy) | |
145 | provider->destroy(); | |
146 | } | |
c23f9755 EM |
147 | |
148 | rb_event_delete(timeout_ev); | |
2b0cc3d3 EM |
149 | } |
150 | ||
151 | /* Cancel outstanding providers for a client */ | |
60374ac9 EM |
152 | void |
153 | cancel_providers(struct auth_client *auth) | |
2b0cc3d3 EM |
154 | { |
155 | rb_dlink_node *ptr; | |
156 | struct auth_provider *provider; | |
157 | ||
158 | RB_DLINK_FOREACH(ptr, auth_providers.head) | |
159 | { | |
160 | provider = ptr->data; | |
161 | ||
a7d5aea1 | 162 | if(provider->cancel && is_provider_on(auth, provider->id)) |
2b0cc3d3 EM |
163 | /* Cancel if required */ |
164 | provider->cancel(auth); | |
165 | } | |
46d17a88 | 166 | |
3e875f62 EM |
167 | rb_dictionary_delete(auth_clients, RB_UINT_TO_POINTER(auth->cid)); |
168 | rb_free(auth); | |
2b0cc3d3 EM |
169 | } |
170 | ||
420cfb67 | 171 | /* Provider is done - WARNING: do not use auth instance after calling! */ |
60374ac9 EM |
172 | void |
173 | provider_done(struct auth_client *auth, provider_t id) | |
2b0cc3d3 EM |
174 | { |
175 | rb_dlink_node *ptr; | |
176 | struct auth_provider *provider; | |
177 | ||
a7d5aea1 EM |
178 | set_provider_off(auth, id); |
179 | set_provider_done(auth, id); | |
2b0cc3d3 EM |
180 | |
181 | if(!auth->providers) | |
182 | { | |
05fdc030 EM |
183 | if(!auth->providers_starting) |
184 | /* Only do this when there are no providers left */ | |
6535177f | 185 | accept_client(auth, -1); |
2b0cc3d3 EM |
186 | return; |
187 | } | |
188 | ||
189 | RB_DLINK_FOREACH(ptr, auth_providers.head) | |
190 | { | |
191 | provider = ptr->data; | |
192 | ||
9f9ab5c2 | 193 | if(provider->completed != NULL && is_provider_on(auth, provider->id)) |
2b0cc3d3 EM |
194 | /* Notify pending clients who asked for it */ |
195 | provider->completed(auth, id); | |
196 | } | |
197 | } | |
198 | ||
420cfb67 | 199 | /* Reject a client - WARNING: do not use auth instance after calling! */ |
60374ac9 | 200 | void |
64afc358 | 201 | reject_client(struct auth_client *auth, provider_t id, const char *data, const char *fmt, ...) |
2b0cc3d3 | 202 | { |
2b0cc3d3 | 203 | char reject; |
64afc358 EM |
204 | char buf[BUFSIZE]; |
205 | va_list args; | |
2b0cc3d3 EM |
206 | |
207 | switch(id) | |
208 | { | |
209 | case PROVIDER_RDNS: | |
210 | reject = 'D'; | |
211 | break; | |
212 | case PROVIDER_IDENT: | |
213 | reject = 'I'; | |
214 | break; | |
215 | case PROVIDER_BLACKLIST: | |
216 | reject = 'B'; | |
217 | break; | |
fbe8d087 EM |
218 | case PROVIDER_OPM: |
219 | reject = 'O'; | |
220 | break; | |
2b0cc3d3 EM |
221 | default: |
222 | reject = 'N'; | |
223 | break; | |
224 | } | |
225 | ||
6535177f EM |
226 | if(data == NULL) |
227 | data = "*"; | |
228 | ||
a5ab1062 | 229 | va_start(args, fmt); |
64afc358 EM |
230 | vsnprintf(buf, sizeof(buf), fmt, args); |
231 | va_end(args); | |
232 | ||
3ad21f61 EM |
233 | /* We send back username and hostname in case ircd wants to overrule our decision. |
234 | * In the future this may not be the case. | |
235 | * --Elizafox | |
236 | */ | |
64afc358 | 237 | rb_helper_write(authd_helper, "R %x %c %s %s %s :%s", auth->cid, reject, auth->username, auth->hostname, data, buf); |
2b0cc3d3 | 238 | |
a7d5aea1 | 239 | set_provider_off(auth, id); |
46d17a88 | 240 | cancel_providers(auth); |
2b0cc3d3 EM |
241 | } |
242 | ||
420cfb67 | 243 | /* Accept a client, cancel outstanding providers if any - WARNING: do nto use auth instance after calling! */ |
60374ac9 EM |
244 | void |
245 | accept_client(struct auth_client *auth, provider_t id) | |
2b0cc3d3 | 246 | { |
2b0cc3d3 EM |
247 | rb_helper_write(authd_helper, "A %x %s %s", auth->cid, auth->username, auth->hostname); |
248 | ||
a7d5aea1 | 249 | set_provider_off(auth, id); |
46d17a88 | 250 | cancel_providers(auth); |
2b0cc3d3 EM |
251 | } |
252 | ||
2b0cc3d3 | 253 | /* Begin authenticating user */ |
60374ac9 EM |
254 | static void |
255 | start_auth(const char *cid, const char *l_ip, const char *l_port, const char *c_ip, const char *c_port) | |
2b0cc3d3 EM |
256 | { |
257 | struct auth_provider *provider; | |
3e875f62 | 258 | struct auth_client *auth = rb_malloc(sizeof(struct auth_client)); |
2b0cc3d3 EM |
259 | long lcid = strtol(cid, NULL, 16); |
260 | rb_dlink_node *ptr; | |
261 | ||
3e875f62 | 262 | if(lcid >= UINT32_MAX) |
2b0cc3d3 EM |
263 | return; |
264 | ||
3e875f62 | 265 | auth->cid = (uint32_t)lcid; |
2b0cc3d3 | 266 | |
05fdc030 EM |
267 | if(rb_dictionary_find(auth_clients, RB_UINT_TO_POINTER(auth->cid)) == NULL) |
268 | rb_dictionary_add(auth_clients, RB_UINT_TO_POINTER(auth->cid), auth); | |
269 | else | |
270 | { | |
c23f9755 EM |
271 | warn_opers(L_CRIT, "provider: duplicate client added via start_auth: %x", auth->cid); |
272 | exit(EX_PROVIDER_ERROR); | |
05fdc030 EM |
273 | } |
274 | ||
2b0cc3d3 EM |
275 | rb_strlcpy(auth->l_ip, l_ip, sizeof(auth->l_ip)); |
276 | auth->l_port = (uint16_t)atoi(l_port); /* should be safe */ | |
32f8c78b | 277 | (void) rb_inet_pton_sock(l_ip, (struct sockaddr *)&auth->l_addr); |
d86692fa | 278 | SET_SS_PORT(&auth->l_addr, htons(auth->l_port)); |
2b0cc3d3 EM |
279 | |
280 | rb_strlcpy(auth->c_ip, c_ip, sizeof(auth->c_ip)); | |
281 | auth->c_port = (uint16_t)atoi(c_port); | |
32f8c78b | 282 | (void) rb_inet_pton_sock(c_ip, (struct sockaddr *)&auth->c_addr); |
d86692fa | 283 | SET_SS_PORT(&auth->c_addr, htons(auth->c_port)); |
2b0cc3d3 | 284 | |
1345a41d EM |
285 | rb_strlcpy(auth->hostname, "*", sizeof(auth->hostname)); |
286 | rb_strlcpy(auth->username, "*", sizeof(auth->username)); | |
287 | ||
0cff7adb EM |
288 | memset(auth->data, 0, sizeof(auth->data)); |
289 | ||
05fdc030 | 290 | auth->providers_starting = true; |
2b0cc3d3 EM |
291 | RB_DLINK_FOREACH(ptr, auth_providers.head) |
292 | { | |
293 | provider = ptr->data; | |
294 | ||
05fdc030 EM |
295 | lrb_assert(provider->start != NULL); |
296 | ||
2b0cc3d3 EM |
297 | /* Execute providers */ |
298 | if(!provider->start(auth)) | |
299 | { | |
300 | /* Rejected immediately */ | |
301 | cancel_providers(auth); | |
302 | return; | |
303 | } | |
304 | } | |
05fdc030 | 305 | auth->providers_starting = false; |
2b0cc3d3 EM |
306 | |
307 | /* If no providers are running, accept the client */ | |
308 | if(!auth->providers) | |
6535177f | 309 | accept_client(auth, -1); |
2b0cc3d3 EM |
310 | } |
311 | ||
312 | /* Callback for the initiation */ | |
60374ac9 EM |
313 | void |
314 | handle_new_connection(int parc, char *parv[]) | |
2b0cc3d3 | 315 | { |
0cff7adb | 316 | if(parc < 6) |
b2ede1aa | 317 | { |
c23f9755 EM |
318 | warn_opers(L_CRIT, "provider: received too few params for new connection (6 expected, got %d)", parc); |
319 | exit(EX_PROVIDER_ERROR); | |
b2ede1aa | 320 | } |
2b0cc3d3 EM |
321 | |
322 | start_auth(parv[1], parv[2], parv[3], parv[4], parv[5]); | |
323 | } | |
60374ac9 EM |
324 | |
325 | void | |
326 | handle_cancel_connection(int parc, char *parv[]) | |
327 | { | |
328 | struct auth_client *auth; | |
329 | long lcid; | |
330 | ||
331 | if(parc < 2) | |
332 | { | |
c23f9755 EM |
333 | warn_opers(L_CRIT, "provider: received too few params for new connection (2 expected, got %d)", parc); |
334 | exit(EX_PROVIDER_ERROR); | |
60374ac9 EM |
335 | } |
336 | ||
337 | if((lcid = strtol(parv[1], NULL, 16)) > UINT32_MAX) | |
338 | { | |
c23f9755 EM |
339 | warn_opers(L_CRIT, "provider: got a request to cancel a connection that can't exist: %lx", lcid); |
340 | exit(EX_PROVIDER_ERROR); | |
60374ac9 EM |
341 | } |
342 | ||
343 | if((auth = rb_dictionary_retrieve(auth_clients, RB_UINT_TO_POINTER((uint32_t)lcid))) == NULL) | |
344 | { | |
5cbfed54 EM |
345 | /* This could happen as a race if we've accepted/rejected but they cancel, so don't die here. |
346 | * --Elizafox */ | |
a3b112f4 | 347 | return; |
60374ac9 EM |
348 | } |
349 | ||
350 | cancel_providers(auth); | |
351 | } | |
15c49abb EM |
352 | |
353 | static void | |
354 | provider_timeout_event(void *notused __unused) | |
355 | { | |
356 | struct auth_client *auth; | |
357 | rb_dictionary_iter iter; | |
358 | const time_t curtime = rb_current_time(); | |
359 | ||
360 | RB_DICTIONARY_FOREACH(auth, &iter, auth_clients) | |
361 | { | |
362 | rb_dlink_node *ptr; | |
363 | ||
364 | RB_DLINK_FOREACH(ptr, auth_providers.head) | |
365 | { | |
366 | struct auth_provider *provider = ptr->data; | |
367 | const time_t timeout = auth->timeout[provider->id]; | |
368 | ||
369 | if(is_provider_on(auth, provider->id) && provider->timeout != NULL && | |
c23f9755 | 370 | timeout > 0 && timeout < curtime) |
15c49abb EM |
371 | { |
372 | provider->timeout(auth); | |
373 | } | |
374 | } | |
375 | } | |
376 | } |