ext_file_userip_acl.cc

Go to the documentation of this file.

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */
 
/*
 * Copyright (C) 2002 Rodrigo Campos
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 *
 * Author: Rodrigo Campos (rodrigo@geekbunker.org)
 *
 */
#include "squid.h"
#include "helper/protocol_defines.h"
#include "rfc1738.h"
#include "util.h"
 
#include <cstdlib>
#include <cstring>
#if HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#if HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#if HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#if HAVE_GRP_H
#include <grp.h>
#endif
 
struct ip_user_dict {
    unsigned long address; // IP address (assumes IPv4)
    unsigned long netmask; // IP netmask
    char *username;
    struct ip_user_dict *next_entry;
};
 
int match_user(char *, char *);
int match_group(char *, char *);
struct ip_user_dict *load_dict(FILE *);
int dict_lookup(struct ip_user_dict *, char *, char *);
 
#define DICT_BUFFER_SIZE    8196
 
static void
free_dict(struct ip_user_dict *head) {
    while (head) {
        struct ip_user_dict *next = head->next_entry;
        safe_free(head->username);
        xfree(head);
        head = next;
    }
}
 
struct ip_user_dict *
load_dict(FILE * FH) {
    struct ip_user_dict *current_entry; /* the structure used to
                       store data */
    struct ip_user_dict *first_entry = nullptr;    /* the head of the
                           linked list */
    char line[DICT_BUFFER_SIZE]; /* the buffer for the lines read
                   from the dict file */
    char *tmpbuf;           /* for the address before the
                   bitwise AND */
 
    /* the pointer to the first entry in the linked list */
    first_entry = static_cast<struct ip_user_dict*>(xcalloc(1, sizeof(struct ip_user_dict)));
    current_entry = first_entry;
 
    unsigned int lineCount = 0;
    while (fgets(line, sizeof(line), FH) != nullptr) {
        ++lineCount;
        if (line[0] == '#') {
            continue;
        }
 
        char *cp; // a char pointer used to parse each line.
        if ((cp = strchr (line, '\n')) != nullptr) {
            /* chop \n characters */
            *cp = '\0';
        }
        if (strtok(line, "\t ") != nullptr) {
            // NP: line begins with IP/mask. Skipped to the end of it with this strtok()
 
            /* get the username */
            char *username;
            if ((username = strtok(nullptr, "\t ")) == nullptr) {
                debug("Missing username on line %u of dictionary file\n", lineCount);
                continue;
            }
 
            /* look for a netmask */
            if ((cp = strtok (line, "/")) != nullptr) {
                /* store the ip address in a temporary buffer */
                tmpbuf = cp;
                cp = strtok (nullptr, "/");
                if (cp != nullptr) {
                    /* if we have a slash in the lhs, we have a netmask */
                    current_entry->netmask = (inet_addr(cp));
                    current_entry->address =
                        (((inet_addr (tmpbuf))) & current_entry->netmask);
                } else {
                    /* when there's no slash, we figure the netmask is /32 */
                    current_entry->address = (inet_addr(tmpbuf));
                    current_entry->netmask = (inet_addr("255.255.255.255"));
                }
            }
            /* get space for the username */
            current_entry->username =
                (char*)calloc(strlen(username) + 1, sizeof(char));
            strcpy(current_entry->username, username);
 
            /* get space and point current_entry to the new entry */
            current_entry->next_entry =
                static_cast<struct ip_user_dict*>(xcalloc(1, sizeof(struct ip_user_dict)));
            current_entry = current_entry->next_entry;
        }
 
    }
 
    /* Return a pointer to the first entry linked list */
    return first_entry;
}
 
int
dict_lookup(struct ip_user_dict *first_entry, char *username,
            char *address)
{
    /* Move the pointer to the first entry of the linked list. */
    struct ip_user_dict *current_entry = first_entry;
 
    while (current_entry && current_entry->username) {
        debug("user: %s\naddr: %lu\nmask: %lu\n\n",
              current_entry->username, current_entry->address,
              current_entry->netmask);
 
        if ((inet_addr (address) & (unsigned long) current_entry->
                netmask) == current_entry->address) {
            /* If the username contains an @ we assume it?s a group and
               call the corresponding function */
            if ((strchr (current_entry->username, '@')) == nullptr) {
                if ((match_user (current_entry->username, username)) == 1)
                    return 1;
            } else {
                if ((match_group (current_entry->username, username)) == 1)
                    return 1;
            }
        }
        current_entry = current_entry->next_entry;
    }
 
    /* If no match was found we return 0 */
    return 0;
}
 
int
match_user(char *dict_username, char *username)
{
    if ((strcmp(dict_username, username)) == 0) {
        return 1;
    } else {
        if ((strcmp(dict_username, "ALL")) == 0) {
            return 1;
        }
    }
    return 0;
}               /* match_user */
 
int
match_group(char *dict_group, char *username)
{
    struct group *g;        /* a struct to hold group entries */
    ++dict_group;           /* the @ should be the first char
                   so we rip it off by incrementing
                   * the pointer by one */
 
    g = getgrnam(dict_group);
    if (!g || !g->gr_mem) {
        debug("Group does not exist or has no members '%s'\n", dict_group);
        return 0;
    }
 
    for (char * const *m = g->gr_mem; *m; ++m) {
        if (strcmp(*m, username) == 0)
            return 1;
    }
    return 0;
}
 
static void
usage(const char *program_name)
{
    fprintf (stderr, "Usage:\n%s [-d] -f <configuration file>\n",
             program_name);
}
 
int
main (int argc, char *argv[])
{
    char *filename = nullptr;
    char *program_name = argv[0];
    char *cp;
    char *username, *address;
    char line[HELPER_INPUT_BUFFER];
    struct ip_user_dict *current_entry;
    int ch;
 
    setvbuf (stdout, nullptr, _IOLBF, 0);
    while ((ch = getopt(argc, argv, "df:h")) != -1) {
        switch (ch) {
        case 'f':
            filename = optarg;
            break;
        case 'd':
            debug_enabled = 1;
            break;
        case 'h':
            usage(program_name);
            exit(EXIT_SUCCESS);
        default:
            fprintf(stderr, "%s: FATAL: Unknown parameter option '%c'", program_name, ch);
            usage(program_name);
            exit(EXIT_FAILURE);
        }
    }
    if (filename == nullptr) {
        fprintf(stderr, "%s: FATAL: No Filename configured.", program_name);
        usage(program_name);
        exit(EXIT_FAILURE);
    }
    FILE *FH = fopen(filename, "r");
    if (!FH) {
        int xerrno = errno;
        fprintf(stderr, "%s: FATAL: Unable to open file '%s': %s", program_name, filename, xstrerr(xerrno));
        exit(EXIT_FAILURE);
    }
    current_entry = load_dict(FH);
 
    while (fgets(line, HELPER_INPUT_BUFFER, stdin)) {
        if ((cp = strchr (line, '\n')) == nullptr) {
            /* too large message received.. skip and deny */
            fprintf(stderr, "%s: ERROR: Input Too Large: %s\n", program_name, line);
            while (fgets(line, sizeof(line), stdin)) {
                fprintf(stderr, "%s: ERROR: Input Too Large..: %s\n", program_name, line);
                if (strchr(line, '\n') != nullptr)
                    break;
            }
            SEND_BH(HLP_MSG("Input Too Large."));
            continue;
        }
        *cp = '\0';
        address = strtok(line, " \t");
        username = strtok(nullptr, " \t");
        if (!address || !username) {
            debug("%s: unable to read tokens\n", program_name);
            SEND_BH(HLP_MSG("Invalid Input."));
            continue;
        }
        rfc1738_unescape(address);
        rfc1738_unescape(username);
        int result = dict_lookup(current_entry, username, address);
        debug("%s: result: %d\n", program_name, result);
        if (result != 0) {
            SEND_OK("");
        } else {
            SEND_ERR("");
        }
    }
 
    fclose (FH);
    free_dict(current_entry);
    return EXIT_SUCCESS;
}