plugins/security/security.c

   1 /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
   2
   3 /*  Monkey HTTP Daemon
   4  *  ------------------
   5  *  Copyright (C) 2001-2010, Eduardo Silva P.
   6  *
   7  *  This program is free software; you can redistribute it and/or modify
   8  *  it under the terms of the GNU General Public License as published by
   9  *  the Free Software Foundation; either version 2 of the License, or
  10  *  (at your option) any later version.
  11  *
  12  *  This program is distributed in the hope that it will be useful,
  13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *  GNU Library General Public License for more details.
  16  *
  17  *  You should have received a copy of the GNU General Public License
  18  *  along with this program; if not, write to the Free Software
  19  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  20  */
  21
  22 #include <stdio.h>
  23 #include <string.h>
  24 #include <sys/stat.h>
  25 #include <unistd.h>
  26
  27 #include "config.h"
  28 #include "plugin.h"
  29 #include "security.h"
  30 #include "utils.h"
  31
  32 /* Plugin data for register */
  33 mk_plugin_data_t _shortname = "security";
  34 mk_plugin_data_t _name = "Security";
  35 mk_plugin_data_t _version = "0.11.0";
  36 mk_plugin_hook_t _hooks = MK_PLUGIN_STAGE_10 | MK_PLUGIN_STAGE_20;
  37
  38 struct plugin_api *mk_api;
  39 struct mk_config *conf;
  40
  41 /* Read database configuration parameters */
  42 int mk_security_conf(char *confdir)
  43 {
  44     int ret = 0;
  45     unsigned long len;
  46     char *conf_path;
  47     struct mk_security *new, *r;
  48     struct mk_config_section *section;
  49     struct mk_config_entry *entry;
  50
  51     /* Read configuration */
  52     mk_api->str_build(&conf_path, &len, "%s/security.conf", confdir);
  53     conf = mk_api->config_create(conf_path);
  54     section = mk_api->config_section_get(conf, "RULES");
  55     entry = section->entry;
  56
  57     r = rules;
  58     while (entry) {
  59         /* Passing to internal struct */
  60         new = mk_api->mem_alloc(sizeof(struct mk_security));
  61         if (strcasecmp(entry->key, "IP") == 0) {
  62             new->type = MK_SECURITY_TYPE_IP;
  63         }
  64         else if (strcasecmp(entry->key, "URL") == 0) {
  65             new->type = MK_SECURITY_TYPE_URL;
  66         }
  67
  68         new->value = entry->val;
  69         new->next = NULL;
  70
  71         /* Linking node */
  72         if (!rules) {
  73             rules = new;
  74         }
  75         else {
  76             r = rules;
  77             while (r->next) {
  78                 r = r->next;
  79             }
  80             r->next = new;
  81         }
  82         entry = entry->next;
  83     }
  84
  85 #ifdef TRACE
  86     PLUGIN_TRACE("Security rules");
  87     r = rules;
  88     printf("%s", ANSI_YELLOW);
  89     while (r) {
  90         if (r->type == MK_SECURITY_TYPE_IP) {
  91             printf("IP  :'");
  92         }
  93         else if (r->type == MK_SECURITY_TYPE_URL) {
  94             printf("URL :'");
  95         }
  96         printf("%s'\n", r->value);
  97         fflush(stdout);
  98         r = r->next;
  99     }
 100     printf("%s", ANSI_RESET);
 101     fflush(stdout);
 102 #endif
 103
 104     mk_api->mem_free(conf_path);
 105     return ret;
 106 }
 107
 108 int mk_security_check_ip(char *ipv4)
 109 {
 110     unsigned int i = 0;
 111     struct mk_security *p;
 112
 113     p = rules;
 114     while (p) {
 115         if (p->type == MK_SECURITY_TYPE_IP) {
 116             for (i = 0; p->value[i]; i++) {
 117                 if (p->value[i] == '?') {
 118                     if (ipv4[i] == '.' || ipv4[i] == '\0')
 119                         return -1;
 120                     else
 121                         continue;
 122                 }
 123
 124                 if (p->value[i] == '*') {
 125                     return -1;
 126                 }
 127
 128                 if (p->value[i] != ipv4[i]) {
 129                     return 0;
 130                 }
 131             }
 132         }
 133         p = p->next;
 134     }
 135
 136     if (ipv4[i] == '\0') {
 137         return -1;
 138     }
 139
 140     return 0;
 141 }
 142
 143 int mk_security_check_url(mk_pointer url)
 144 {
 145     int n;
 146     struct mk_security *p;
 147
 148     p = rules;
 149     while (p) {
 150         if (p->type == MK_SECURITY_TYPE_URL) {
 151             n = mk_api->str_search_n(url.data, p->value, url.len);
 152             if (n >= 0) {
 153                 return -1;
 154             }
 155         }
 156         p = p->next;
 157     }
 158
 159     return 0;
 160 }
 161
 162 int _mkp_init(void **api, char *confdir)
 163 {
 164     mk_api = *api;
 165     rules = 0;
 166
 167     /* Read configuration */
 168     mk_security_conf(confdir);
 169     return 0;
 170 }
 171
 172 void _mkp_exit()
 173 {
 174 }
 175
 176 int _mkp_stage_10(unsigned int socket, struct sched_connection *conx)
 177 {
 178     if (mk_security_check_ip(conx->ipv4.data) != 0) {
 179 #ifdef TRACE
 180         PLUGIN_TRACE("Close connection FD %i", socket);
 181 #endif
 182         return MK_PLUGIN_RET_CLOSE_CONX;
 183     }
 184
 185     return MK_PLUGIN_RET_CONTINUE;
 186 }
 187
 188 int _mkp_stage_20(struct client_request *cr, struct request *sr)
 189 {
 190     if (mk_security_check_url(sr->uri) < 0) {
 191 #ifdef TRACE
 192         PLUGIN_TRACE("Close connection FD %i", cr->socket);
 193 #endif
 194         mk_api->header_set_http_status(sr, M_CLIENT_FORBIDDEN);
 195         return MK_PLUGIN_RET_CLOSE_CONX;
 196     }
 197
 198     return MK_PLUGIN_RET_CONTINUE;
 199 }