git.sur5r.net Git - openldap/blob - contrib/tweb/checkclient.c

   1 /*_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
   2 *                                                                          *
   3 * checkclient.c                                                            *
   4 *                                                                          *
   5 * Function:..Client-Check-Funktions                                        *
   6 *                                                                          *
   7 *                                                                          *
   8 *                                                                          *
   9 * Authors:...Dr. Kurt Spanier & Bernhard Winkler,                          *
  10 *            Zentrum fuer Datenverarbeitung, Bereich Entwicklung           *
  11 *            neuer Dienste, Universitaet Tuebingen, GERMANY                *
  12 *                                                                          *
  13 *                                       ZZZZZ  DDD    V   V                *
  14 *            Creation date:                Z   D  D   V   V                *
  15 *            March 7 1996                 Z    D   D   V V                 *
  16 *            Last modification:          Z     D  D    V V                 *
  17 *            March 19 1999              ZZZZ   DDD      V                  *
  18 *                                                                          *
  19 _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_*/
  20
  21 /*
  22  * $Id: checkclient.c,v 1.6 1999/09/10 15:01:16 zrnsk01 Exp $
  23  *
  24  */
  25
  26 #include "tgeneral.h"
  27 #include "tglobal.h"
  28 #include "init_exp.h"
  29 #include "charray_exp.h"
  30 #include "checkclient.h"
  31 #include "regular_exp.h"
  32
  33 PRIVATE int check4access (host, glob)
  34 char *host;
  35 GLOB_STRUCT *glob;
  36 /*
  37  * check if host ends in a valid domain.
  38  * return OK if so, NOTOK otherwise
  39  */
  40 {
  41     return(
  42      (glob->allow_string ? checkad(host, glob->comp_allow, glob) : OK) &&
  43      (glob->deny_string ? !checkad(host, glob->comp_deny, glob) : OK));
  44
  45 }
  46 /* end of function: check4access */
  47
  48
  49 PRIVATE int checkad (host, string, glob)
  50 char *host;
  51 regexp *string;
  52 GLOB_STRUCT *glob;
  53 {
  54     char nhost[BUFSIZ];
  55
  56     strcpy(nhost, host ? host : "unknown.xxx");
  57     return( tweb_regexec( string, nhost ));
  58
  59 }
  60 /* end of function: checkad */
  61
  62 /* Analyse Web-Client-Type / proxy + Log-Message */
  63
  64 PUBLIC void checkwwwclient (fp, ip_addr, ip_port, hp, glob)
  65 FILE *fp;
  66 char *ip_addr;
  67 unsigned int ip_port;
  68 struct hostent *hp;
  69 GLOB_STRUCT *glob;
  70 {
  71     char in[BUFSIZ];
  72     char agent[BUFSIZ], via[BUFSIZ];
  73         char *host = hp ? hp->h_name : "unknown";
  74
  75         *via = *agent = '\0';
  76
  77     if(!((glob->grant ? checkad(host, glob->comp_grant, glob) : OK) &&
  78     (glob->refuse ? !checkad(host, glob->comp_refuse, glob) : OK))){
  79
  80         if (dosyslog)
  81                         syslog (LOG_INFO, "%s REFUSED <%08d>",
  82                               glob->server_connection_msg, glob->svc_cnt);
  83         fflush(fp);
  84         if (http == 1) PRINT_HTML_HEADER;
  85         fprintf( fp, HTML_HEAD_TITLE, "ACCESS DENIED", glob->la[100]);
  86         disp_file(glob, glob->header, fp);
  87         fprintf(fp, "%s", glob->la[97]);
  88         disp_file(glob, glob->footer, fp);
  89         PRINT_HTML_FOOTER;
  90         close_ldap_connections(glob);
  91         exit_tweb(0);
  92     }
  93
  94     glob->is_proxy = FALSE;
  95     while(fgets( in, BUFSIZ-1,  fp ) && *trimright(in, WSPACE) ) {
  96         if(strstr(in, "User-Agent:")){
  97             strcpy(agent, in);
  98             if(strstr(str_tolower(in), PROXY_TOKEN1) ||
  99                 strstr(in, PROXY_TOKEN2))
 100                      glob->is_proxy = TRUE;
 101         }
 102         if(strstr(in, "Via:")){
 103             strcpy(via, in);
 104             glob->is_proxy = TRUE;
 105         }
 106     }
 107     if (dosyslog){
 108          char useragent[BUFSIZ];
 109
 110          sprintf(useragent, "%s  (%s,%u) %s",
 111                             *agent ?  agent : "User-Agent: unknown",
 112                             ip_addr, ip_port, via);
 113          glob->user_agent_msg = strdup(useragent);
 114     }
 115
 116     /* check if access is allowed ... */
 117
 118     glob->allowed =
 119         ( hp
 120           && ((check4access(str_tolower(hp->h_name), glob) == OK))
 121           && !( glob->no_proxy && glob->is_proxy
 122                 && !charray_inlist(glob->allow_proxy, hp->h_name)
 123               )
 124         );
 125 }
 126
 127 /* end of function: checkwwwclient */
 128
 129 PUBLIC void decide_access(glob)
 130 GLOB_STRUCT *glob;
 131 {
 132
 133     if(!glob->allowed) {
 134         /*  access from a non allowed computer
 135             ==> put webdn/webpw on a alternative value (if existant) */
 136         glob->webdn = glob->webdn2;
 137         glob->webpw = glob->webpw2;
 138         glob->noauth = TRUE;
 139
 140         if (dosyslog) syslog (LOG_INFO, "%s DENIED <%08d>",
 141                                  glob->server_connection_msg, glob->svc_cnt);
 142
 143     } else {
 144
 145         /*  if allowed and not strict: list persons without limits */
 146         if (!glob->strict) glob->max_person = 0;
 147
 148         if (dosyslog) syslog (LOG_INFO, "%s ALLOWED <%08d>",
 149                                  glob->server_connection_msg, glob->svc_cnt);
 150     }
 151     if (dosyslog) syslog (LOG_INFO, "%s <%08d>",
 152                                                         glob->user_agent_msg, glob->svc_cnt);
 153
 154     /*  non configured max-person means full listing */
 155     if (!glob->max_person) glob->max_person = 100000;
 156
 157     /*  if result-lists shall be restricted: configure display of
 158         privacy-message */
 159     glob->legal = glob->legal && (!glob->allowed || glob->strict);
 160
 161     /*  if browsing should be restricted: configure no_browse-variable */
 162     glob->no_browse = glob->no_browse &&
 163             (glob->noauth || glob->strict);
 164
 165 }
 166
 167 /* end of function: decide_access */
 168
 169 /* Read ip_refuse dat_file and build up the data structure */
 170
 171 PUBLIC void get_ip_refuse_clients(glob)
 172 GLOB_STRUCT *glob;
 173 {
 174         if ( glob->ip_refuse ) {
 175
 176         FILE *rfp;
 177         char  inLine[BUFSIZ];
 178                 char *inLineP;
 179                 size_t   buflen = REFU_BUFSIZ;
 180         size_t   curlen = (size_t) 1;
 181
 182         if(!(rfp = fopen(glob->ip_refuse->dat_file, "r"))) {
 183                 return;
 184         }
 185
 186                 if ( glob->ip_refuse->refu_str ) free( glob->ip_refuse->refu_str );
 187                 glob->ip_refuse->refu_str = ch_calloc( 1, REFU_BUFSIZ );
 188                 *glob->ip_refuse->refu_str = '&';
 189
 190         while(fgets(inLine, BUFSIZ-1, rfp)) {
 191                         int  inLen;
 192
 193                         if ( ( inLineP = strchr( inLine, '#' ) )) *inLineP = '\0';
 194                 inLineP = trim(inLine, " \t\n");
 195                 if ( *inLineP == '\0' ) continue;
 196
 197                         inLen = strlen( inLineP );
 198                         if ( !( curlen + inLen + 1 < buflen )) {
 199
 200                                 glob->ip_refuse->refu_str =
 201                                         ch_realloc( glob->ip_refuse->refu_str,
 202                                                                                         buflen + REFU_BUFSIZ );
 203                                 buflen += REFU_BUFSIZ;
 204
 205                         }
 206
 207                         sprintf( glob->ip_refuse->refu_str, "%s%s&",
 208                                                 glob->ip_refuse->refu_str, inLineP );
 209
 210                         curlen += inLen;
 211
 212         }
 213                 fclose( rfp );
 214
 215         }
 216 }  /*  get_ip_refuse_clients  */
 217
 218
 219 /* Routine needed to initialize structure in init.c */
 220
 221 /*  Test the incomming IP address for denial  */
 222
 223 PUBLIC int
 224 check_ip_denial( ip_connection, glob )
 225 struct sockaddr_in   *ip_connection;
 226 GLOB_STRUCT          *glob;
 227 {
 228     int    res = OK;
 229
 230         if ( glob->ip_refuse ) {
 231         char  ip_address[18];
 232
 233         sprintf( ip_address, "&%s&",  inet_ntoa( ip_connection->sin_addr ));
 234                 if ( strstr( glob->ip_refuse->refu_str, ip_address ))
 235                         res = NOTOK;
 236
 237         }
 238
 239     return( res );
 240
 241 }  /*  check_ip_denial  */
 242
 243
 244 /* re-read IP-REFUSE file if necessary */
 245
 246 PUBLIC void
 247 re_readIPrefuse( glob )
 248 GLOB_STRUCT   *glob;
 249 {
 250         static int ip_refuse_reload = 0;
 251
 252         if ( glob->ip_refuse &&
 253                         !( ++ip_refuse_reload % glob->ip_refuse->rereadcycle )) {
 254                 get_ip_refuse_clients( glob );
 255         }
 256
 257 }  /*  re_readIPrefuse  */
 258