From ca6e4bad852f8eb986cf38eef3a3f2366134e45d Mon Sep 17 00:00:00 2001 From: Maxim Mamontov Date: Sat, 10 Sep 2011 19:07:51 +0300 Subject: [PATCH] Fix authorization in plugins --- .../stargazer/plugins/authorization/ao/ao.cpp | 19 ++--- .../stargazer/plugins/authorization/ao/ao.h | 9 +- .../authorization/inetaccess/inetaccess.cpp | 85 +++++++++---------- .../authorization/inetaccess/inetaccess.h | 13 +-- .../stargazer/plugins/other/radius/radius.cpp | 6 +- 5 files changed, 63 insertions(+), 69 deletions(-) diff --git a/projects/stargazer/plugins/authorization/ao/ao.cpp b/projects/stargazer/plugins/authorization/ao/ao.cpp index bdbfe3a9..7079d7d9 100644 --- a/projects/stargazer/plugins/authorization/ao/ao.cpp +++ b/projects/stargazer/plugins/authorization/ao/ao.cpp @@ -105,7 +105,8 @@ list::iterator users_iter; users_iter = usersList.begin(); while (users_iter != usersList.end()) { - Unauthorize(*users_iter); + if ((*users_iter)->IsAuthorizedBy(this)) + users->Unauthorize((*users_iter)->GetLogin(), this); UnSetUserNotifiers(*users_iter); ++users_iter; } @@ -212,21 +213,14 @@ while (!users->SearchNext(h, &u)) users->CloseSearch(h); } //----------------------------------------------------------------------------- -void AUTH_AO::Unauthorize(USER_PTR u) const -{ -u->Unauthorize(this); -} -//----------------------------------------------------------------------------- -void AUTH_AO::UpdateUserAuthorization(USER_PTR u) const +void AUTH_AO::UpdateUserAuthorization(CONST_USER_PTR u) const { if (u->GetProperty().alwaysOnline) { USER_IPS ips = u->GetProperty().ips; if (ips.OnlyOneIP()) { - if (u->Authorize(ips[0].ip, 0xFFffFFff, this) == 0) - { - } + users->Authorize(u->GetLogin(), ips[0].ip, 0xFFffFFff, this); } } } @@ -240,7 +234,7 @@ UpdateUserAuthorization(u); //----------------------------------------------------------------------------- void AUTH_AO::DelUser(USER_PTR u) { -Unauthorize(u); +users->Unauthorize(u->GetLogin(), this); UnSetUserNotifiers(u); usersList.remove(u); } @@ -255,7 +249,8 @@ template void CHG_BEFORE_NOTIFIER::Notify(const varParamType &, const varParamType &) { //EVENT_LOOP_SINGLETON::GetInstance().Enqueue(auth, &AUTH_AO::Unauthorize, user); -auth.Unauthorize(user); +if (user->IsAuthorizedBy(&auth)) + auth.users->Unauthorize(user->GetLogin(), &auth); } //----------------------------------------------------------------------------- template diff --git a/projects/stargazer/plugins/authorization/ao/ao.h b/projects/stargazer/plugins/authorization/ao/ao.h index cac18dfd..df21803b 100644 --- a/projects/stargazer/plugins/authorization/ao/ao.h +++ b/projects/stargazer/plugins/authorization/ao/ao.h @@ -88,15 +88,13 @@ public: void AddUser(USER_PTR u); void DelUser(USER_PTR u); - void UpdateUserAuthorization(USER_PTR u) const; - void Unauthorize(USER_PTR u) const; - int SendMessage(const STG_MSG & msg, uint32_t ip) const; private: void GetUsers(); void SetUserNotifiers(USER_PTR u); void UnSetUserNotifiers(USER_PTR u); + void UpdateUserAuthorization(CONST_USER_PTR u) const; mutable std::string errorStr; USERS * users; @@ -138,6 +136,11 @@ private: AUTH_AO & auth; } onDelUserNotifier; + friend class CHG_BEFORE_NOTIFIER; + friend class CHG_AFTER_NOTIFIER; + friend class CHG_BEFORE_NOTIFIER; + friend class CHG_AFTER_NOTIFIER; + }; //----------------------------------------------------------------------------- diff --git a/projects/stargazer/plugins/authorization/inetaccess/inetaccess.cpp b/projects/stargazer/plugins/authorization/inetaccess/inetaccess.cpp index 6219a1a8..a86933bc 100644 --- a/projects/stargazer/plugins/authorization/inetaccess/inetaccess.cpp +++ b/projects/stargazer/plugins/authorization/inetaccess/inetaccess.cpp @@ -616,7 +616,7 @@ USER_PTR user; if (users->FindByName(login, &user) == 0) { printfd(__FILE__, "User %s FOUND!\n", user->GetLogin().c_str()); - PacketProcessor(buffer, dataLen, sip, sport, protoVer, &user); + PacketProcessor(buffer, dataLen, sip, sport, protoVer, user); } else { @@ -720,7 +720,7 @@ while (it != ip2user.end()) if ((currTime - it->second.phase.GetTime()) > iaSettings.GetUserTimeout()) { - it->second.user->Unauthorize(this); + users->Unauthorize(it->second.user->GetLogin(), this); ip2user.erase(it++); continue; } @@ -739,11 +739,10 @@ while (it != ip2user.end()) return 0; } //----------------------------------------------------------------------------- -int AUTH_IA::PacketProcessor(char * buff, int dataLen, uint32_t sip, uint16_t sport, int protoVer, USER_PTR * user) +int AUTH_IA::PacketProcessor(char * buff, int dataLen, uint32_t sip, uint16_t sport, int protoVer, USER_PTR user) { -STG_LOCKER lock(&mutex, __FILE__, __LINE__); +std::string login(user->GetLogin()); // ôÕÔ ÓÏÂÒÁÎÙ ÏÂÒÁÂÏÔÞÉËÉ ÒÁÚÎÙÈ ÐÁËÅÔÏ× -int pn = -1; const int offset = LOGIN_LEN + 2 + 6; // LOGIN_LEN + sizeOfMagic + sizeOfVer; IA_USER * iaUser = NULL; @@ -757,19 +756,20 @@ ALIVE_ACK_6 * aliveAck; DISCONN_SYN_6 * disconnSyn; DISCONN_ACK_6 * disconnAck; -map::iterator it; -it = ip2user.find(sip); +STG_LOCKER lock(&mutex, __FILE__, __LINE__); +map::iterator it(ip2user.find(sip)); -if (it == ip2user.end() || (*user)->GetID() != it->second.user->GetID()) +if (it == ip2user.end()) { // åÝÅ ÎÅ ÂÙÌÏ ÚÁÐÒÏÓÏ× Ó ÜÔÏÇÏ IP printfd(__FILE__, "Add new user\n"); + ip2user[sip].login = user->GetLogin(); + ip2user[sip].user = user; ip2user[sip].protoVer = protoVer; - ip2user[sip].user = *user; ip2user[sip].port = sport; #ifdef IA_PHASE_DEBUG ip2user[sip].phase.SetLogFileName(stgSettings->GetLogFileName()); - ip2user[sip].phase.SetUserLogin((*user)->GetLogin()); + ip2user[sip].phase.SetUserLogin(login); #endif @@ -780,16 +780,23 @@ if (it == ip2user.end() || (*user)->GetID() != it->second.user->GetID()) return -1; } } +else if (user->GetID() != it->second.user->GetID()) + { + printfd(__FILE__, "IP address already in use. IP \'%s\'\n", inet_ntostring(sip).c_str()); + WriteServLog("IP address already in use. IP \'%s\'", inet_ntostring(sip).c_str()); + SendError(sip, sport, protoVer, "÷ÁÛ IP ÁÄÒÅÓ ÕÖÅ ÉÓÐÏÌØÚÕÅÔÓÑ!"); + return 0; + } iaUser = &(it->second); if (iaUser->port != sport) iaUser->port = sport; -if (iaUser->password != (*user)->GetProperty().password.Get()) +if (iaUser->password != user->GetProperty().password.Get()) { - InitEncrypt(&iaUser->ctx, (*user)->GetProperty().password.Get()); - iaUser->password = (*user)->GetProperty().password.Get(); + InitEncrypt(&iaUser->ctx, user->GetProperty().password.Get()); + iaUser->password = user->GetProperty().password.Get(); } buff += offset; @@ -799,8 +806,7 @@ char packetName[IA_MAX_TYPE_LEN]; strncpy(packetName, buff + 4, IA_MAX_TYPE_LEN); packetName[IA_MAX_TYPE_LEN - 1] = 0; -map::iterator pi; -pi = packetTypes.find(packetName); +map::iterator pi(packetTypes.find(packetName)); if (pi == packetTypes.end()) { SendError(sip, sport, protoVer, "îÅÐÒÁ×ÉÌØÎÙÊ ÌÏÇÉÎ ÉÌÉ ÐÁÒÏÌØ!"); @@ -808,53 +814,40 @@ if (pi == packetTypes.end()) WriteServLog("User's connect failed. IP \'%s\'. Wrong login or password", inet_ntostring(sip).c_str()); return 0; } -else - { - pn = pi->second; - } -if ((*user)->GetProperty().disabled.Get()) +if (user->GetProperty().disabled.Get()) { SendError(sip, sport, protoVer, "õÞÅÔÎÁÑ ÚÁÐÉÓØ ÚÁÂÌÏËÉÒÏ×ÁÎÁ"); return 0; } -if ((*user)->GetProperty().passive.Get()) +if (user->GetProperty().passive.Get()) { SendError(sip, sport, protoVer, "õÞÅÔÎÁÑ ÚÁÐÉÓØ ÚÁÍÏÒÏÖÅÎÁ"); return 0; } -if ((*user)->GetAuthorized() && (*user)->GetCurrIP() != sip) +if (user->IsAuthorizedBy(this) && user->GetCurrIP() != sip) { - printfd(__FILE__, "Login %s already in use. IP \'%s\'\n", (*user)->GetLogin().c_str(), inet_ntostring(sip).c_str()); - WriteServLog("Login %s already in use. IP \'%s\'", (*user)->GetLogin().c_str(), inet_ntostring(sip).c_str()); + printfd(__FILE__, "Login %s already in use. IP \'%s\'\n", login.c_str(), inet_ntostring(sip).c_str()); + WriteServLog("Login %s already in use. IP \'%s\'", login.c_str(), inet_ntostring(sip).c_str()); SendError(sip, sport, protoVer, "÷ÁÛ ÌÏÇÉÎ ÕÖÅ ÉÓÐÏÌØÚÕÅÔÓÑ!"); return 0; } -USER_PTR u; -if (users->FindByIPIdx(sip, &u) == 0 && u->GetLogin() != (*user)->GetLogin()) - { - printfd(__FILE__, "IP address already in use. IP \'%s\'\n", inet_ntostring(sip).c_str()); - WriteServLog("IP address already in use. IP \'%s\'", inet_ntostring(sip).c_str()); - SendError(sip, sport, protoVer, "÷ÁÛ IP ÁÄÒÅÓ ÕÖÅ ÉÓÐÏÌØÚÕÅÔÓÑ!"); - return 0; - } - // ôÅÐÅÒØ ÍÙ ÄÏÌÖÎÙ ÐÒÏ×ÅÒÉÔØ, ÍÏÖÅÔ ÌÉ ÐÏÌØÚÏ×ÁÔÅÌØ ÐÏÄËÌÀÞÉÔÓÑ Ó ÜÔÏÇÏ ÁÄÒÅÓÁ. -int ipFound = (*user)->GetProperty().ips.Get().IsIPInIPS(sip); +int ipFound = user->GetProperty().ips.Get().IsIPInIPS(sip); if (!ipFound) { - printfd(__FILE__, "User %s. IP address is incorrect. IP \'%s\'\n", (*user)->GetLogin().c_str(), inet_ntostring(sip).c_str()); - WriteServLog("User %s. IP address is incorrect. IP \'%s\'", (*user)->GetLogin().c_str(), inet_ntostring(sip).c_str()); + printfd(__FILE__, "User %s. IP address is incorrect. IP \'%s\'\n", login.c_str(), inet_ntostring(sip).c_str()); + WriteServLog("User %s. IP address is incorrect. IP \'%s\'", login.c_str(), inet_ntostring(sip).c_str()); SendError(sip, sport, protoVer, "ðÏÌØÚÏ×ÁÔÅÌØ ÎÅ ÏÐÏÚÎÁÎ! ðÒÏ×ÅÒØÔÅ IP ÁÄÒÅÓ."); return 0; } int ret = -1; -switch (pn) +switch (pi->second) { case CONN_SYN_N: switch (protoVer) @@ -1033,7 +1026,7 @@ if (it == ip2user.end()) if (it->second.user == u) { printfd(__FILE__, "User removed!\n"); - it->second.user->Unauthorize(this); + users->Unauthorize(u->GetLogin(), this); ip2user.erase(it); } } @@ -1127,7 +1120,7 @@ return 0; //----------------------------------------------------------------------------- int AUTH_IA::RealSendMessage6(const STG_MSG & msg, uint32_t ip, IA_USER & user) { -printfd(__FILE__, "RealSendMessage 6 user=%s\n", user.user->GetLogin().c_str()); +printfd(__FILE__, "RealSendMessage 6 user=%s\n", user.login.c_str()); char buffer[256]; INFO_6 info; @@ -1154,7 +1147,7 @@ return 0; //----------------------------------------------------------------------------- int AUTH_IA::RealSendMessage7(const STG_MSG & msg, uint32_t ip, IA_USER & user) { -printfd(__FILE__, "RealSendMessage 7 user=%s\n", user.user->GetLogin().c_str()); +printfd(__FILE__, "RealSendMessage 7 user=%s\n", user.login.c_str()); char buffer[300]; INFO_7 info; @@ -1187,7 +1180,7 @@ return 0; //----------------------------------------------------------------------------- int AUTH_IA::RealSendMessage8(const STG_MSG & msg, uint32_t ip, IA_USER & user) { -printfd(__FILE__, "RealSendMessage 8 user=%s\n", user.user->GetLogin().c_str()); +printfd(__FILE__, "RealSendMessage 8 user=%s\n", user.login.c_str()); char buffer[1500]; memset(buffer, 0, sizeof(buffer)); @@ -1259,7 +1252,7 @@ if ((iaUser->phase.GetPhase() == 2) && (connAck->rnd == iaUser->rnd + 1)) iaUser->phase.UpdateTime(); iaUser->lastSendAlive = iaUser->phase.GetTime(); - if (iaUser->user->Authorize(sip, enabledDirs, this) == 0) + if (users->Authorize(iaUser->login, sip, enabledDirs, this)) { iaUser->phase.SetPhase3(); printfd(__FILE__, "Phase changed from 2 to 3. Reason: CONN_ACK_6\n"); @@ -1294,7 +1287,7 @@ if ((iaUser->phase.GetPhase() == 2) && (connAck->rnd == iaUser->rnd + 1)) { iaUser->phase.UpdateTime(); iaUser->lastSendAlive = iaUser->phase.GetTime(); - if (iaUser->user->Authorize(sip, enabledDirs, this) == 0) + if (users->Authorize(iaUser->login, sip, enabledDirs, this)) { iaUser->phase.SetPhase3(); printfd(__FILE__, "Phase changed from 2 to 3. Reason: CONN_ACK_8\n"); @@ -1558,7 +1551,7 @@ else #ifdef IA_DEBUG if (iaUser->aliveSent) { - printfd(__FILE__, "========= ALIVE_ACK_6(7) TIMEOUT !!! %s =========\n", iaUser->user->GetLogin().c_str()); + printfd(__FILE__, "========= ALIVE_ACK_6(7) TIMEOUT !!! %s =========\n", iaUser->login.c_str()); } iaUser->aliveSent = true; #endif @@ -1728,7 +1721,7 @@ SwapBytes(fin6.len); Encrypt(&iaUser->ctx, (char*)&fin6, (char*)&fin6, Min8(sizeof(fin6))/8); -iaUser->user->Unauthorize(this); +users->Unauthorize(iaUser->login, this); int ret = Send(sip, iaSettings.GetUserPort(), (char*)&fin6, Min8(sizeof(fin6))); ip2user.erase(it); @@ -1756,7 +1749,7 @@ SwapBytes(fin8.len); Encrypt(&iaUser->ctx, (char*)&fin8, (char*)&fin8, Min8(sizeof(fin8))/8); -iaUser->user->Unauthorize(this); +users->Unauthorize(iaUser->login, this); int ret = Send(sip, iaUser->port, (char*)&fin8, Min8(sizeof(fin8))); ip2user.erase(it); diff --git a/projects/stargazer/plugins/authorization/inetaccess/inetaccess.h b/projects/stargazer/plugins/authorization/inetaccess/inetaccess.h index ab0c20ee..5b280880 100644 --- a/projects/stargazer/plugins/authorization/inetaccess/inetaccess.h +++ b/projects/stargazer/plugins/authorization/inetaccess/inetaccess.h @@ -118,7 +118,8 @@ private: //----------------------------------------------------------------------------- struct IA_USER { IA_USER() - : user(NULL), + : login(), + user(NULL), lastSendAlive(0), rnd(random()), port(0), @@ -137,7 +138,8 @@ struct IA_USER { }; IA_USER(const IA_USER & u) - : user(u.user), + : login(u.login), + user(u.user), phase(u.phase), lastSendAlive(u.lastSendAlive), rnd(u.rnd), @@ -152,7 +154,8 @@ struct IA_USER { memcpy(&ctx, &u.ctx, sizeof(BLOWFISH_CTX)); }; - USER_PTR user; + std::string login; + CONST_USER_PTR user; IA_PHASE phase; UTIME lastSendAlive; uint32_t rnd; @@ -228,7 +231,7 @@ private: void DelUser(USER_PTR u); int RecvData(char * buffer, int bufferSize); int CheckHeader(const char * buffer, int * protoVer); - int PacketProcessor(char * buff, int dataLen, uint32_t sip, uint16_t sport, int protoVer, USER_PTR * user); + int PacketProcessor(char * buff, int dataLen, uint32_t sip, uint16_t sport, int protoVer, USER_PTR user); int Process_CONN_SYN_6(CONN_SYN_6 * connSyn, IA_USER * iaUser, uint32_t sip); int Process_CONN_SYN_7(CONN_SYN_7 * connSyn, IA_USER * iaUser, uint32_t sip); @@ -329,7 +332,7 @@ private: UnauthorizeUser(AUTH_IA * a) : auth(a) {} void operator()(const std::pair & p) { - p.second.user->Unauthorize(auth); + auth->users->Unauthorize(p.second.user->GetLogin(), auth); } private: AUTH_IA * auth; diff --git a/projects/stargazer/plugins/other/radius/radius.cpp b/projects/stargazer/plugins/other/radius/radius.cpp index 8ea93c9d..efa99570 100644 --- a/projects/stargazer/plugins/other/radius/radius.cpp +++ b/projects/stargazer/plugins/other/radius/radius.cpp @@ -255,7 +255,7 @@ for (it = sessions.begin(); it != sessions.end(); ++it) USER_PTR ui; if (users->FindByName(it->second.userName, &ui)) { - ui->Unauthorize(this); + users->Unauthorize(ui->GetLogin(), this); } } sessions.erase(sessions.begin(), sessions.end()); @@ -498,7 +498,7 @@ if (CanAcctService((char *)packet->service)) return -1; } USER_IPS ips = ui->GetProperty().ips; - if (ui->Authorize(ips[0].ip, 0xffFFffFF, this)) + if (users->Authorize(ui->GetLogin(), ips[0].ip, 0xffFFffFF, this)) { printfd(__FILE__, "RADIUS::ProcessAcctStartPacket cannot authorize user '%s'\n", packet->login); packet->packetType = RAD_REJECT_PACKET; @@ -539,7 +539,7 @@ if (!FindUser(&ui, sid->second.userName)) sessions.erase(sid); -ui->Unauthorize(this); +users->Unauthorize(ui->GetLogin(), this); packet->packetType = RAD_ACCEPT_PACKET; return 0; -- 2.44.2