From 3c7527c91f8ba88e6ccc22026f86278a2546feb2 Mon Sep 17 00:00:00 2001
From: b <b@05ce6ebb-7522-4a6e-a768-0026ae12be9f>
Date: Tue, 10 Nov 2015 10:53:10 +0000
Subject: [PATCH] Proxy unlocking authentication is ready.

git-svn-id: svn://botcastle1b/yplom/proxy@3 05ce6ebb-7522-4a6e-a768-0026ae12be9f
---
 access.c  | 13 +++++++++
 access.pl | 47 ++++++++++++++++++++++++++-----
 makefile  | 16 +++++------
 proxy.pl  | 82 ++++++++++++++++++++++++++++++++++++++++++++++++-------
 4 files changed, 133 insertions(+), 25 deletions(-)
 create mode 100644 access.c

diff --git a/access.c b/access.c
new file mode 100644
index 0000000..bb67bbd
--- /dev/null
+++ b/access.c
@@ -0,0 +1,13 @@
+//The SETUID wrapper.
+
+#include <unistd.h>
+#include <stdio.h>
+
+#define ACCESS_PATH "/yplom/bin/proxy/access.pl"
+#define ACCESS_LOG  "/yplom/log/proxy/access-stderr.log"
+
+int main(int argc, char *argv[], char *envp[])
+{
+	freopen(ACCESS_LOG,"at",stderr);
+	return execve(ACCESS_PATH,argv,envp);
+}
diff --git a/access.pl b/access.pl
index 2f458b4..d8886cc 100644
--- a/access.pl
+++ b/access.pl
@@ -1,16 +1,49 @@
 #!/usr/bin/perl
 
-use constant REWRITE_URL => 'bicyclesonthemoon.info:59443';
+use constant ACCESS_PATH    => '/yplom/data/proxy/access/';
+use constant TIMEOUT_UNLOCK => 90;
+use constant TIMEOUT_INACT  => 15;
 
 $|=1;
+$timeout_unlock = TIMEOUT_UNLOCK*60;
+$timeout_inact = TIMEOUT_INACT*60;
 
 while (<STDIN>) {
-	$a=$_;
-	if ($a =~ /^([0-9]+ )/) {
+	$line=$_;
+	if ($line =~ s/^([0-9]+ )//) {
 		print $1;
 	}
-	print "ERR\n";
-	open ($log,">>","/yplom/log/proxy/acl") or exit;
-	print $log $a;
-	close($log);
+	
+	$accesstime = time();
+	# print '+++ '.$line."\n";
+	
+	if ($line =~ /^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)( .*)?$/) {
+		$IP = $1;
+		$accesspath=ACCESS_PATH.$IP;
+		if (open ($accessfile,"<",$accesspath)) {
+			$unlocktime=<$accessfile>;
+			$lasttime=<$accessfile>;
+			close($accessfile);
+			$unlocktime =~ s/\n//g;
+			$lasttime =~ s/\n//g;
+			
+			if ((abs($accesstime-$unlocktime)>$timeout_unlock) or (abs($accesstime-$unlocktime)>$timeout_inact)){
+				print "ERR too long\n";
+				unlink $accesspath;
+			}
+			else {
+				print "OK\n";
+				if (open ($accessfile,">",$accesspath)) {
+					print $accessfile "$unlocktime\n$accesstime\n";
+					close ($accessfile);
+				}
+			}
+		}
+		else {
+			print "ERR\n";
+		}
+	}
+	else {
+		print "ERR\n";
+	}
 }
diff --git a/makefile b/makefile
index ab1eef9..dee34ee 100644
--- a/makefile
+++ b/makefile
@@ -11,14 +11,14 @@ all: moveout copyout
 moveout: proxy rewrite access setuid exec
 	mv proxy access rewrite $(OD)
 
-copyout: proxy.pl setuid exec
-	cp proxy.pl $(OD)
+copyout: proxy.pl access.pl setuid exec
+	cp proxy.pl access.pl $(OD)
 
-setuid: proxy
-	chmod u+s proxy
+setuid: proxy access
+	chmod u+s proxy access
 
-exec: rewrite access proxy
-	chmod +x rewrite access proxy
+exec: rewrite access.pl proxy.pl proxy
+	chmod +x rewrite access.pl proxy.pl proxy
 
 proxy: proxy.c
 	$(CC) $(CF) -o proxy proxy.c
@@ -26,5 +26,5 @@ proxy: proxy.c
 rewrite: rewrite.pl
 	cp rewrite.pl rewrite
 
-access: access.pl
-	cp access.pl access
+access: access.c
+	$(CC) $(CF) -o access access.c
diff --git a/proxy.pl b/proxy.pl
index 94307f7..1f9691d 100755
--- a/proxy.pl
+++ b/proxy.pl
@@ -2,15 +2,20 @@
 
 use POSIX qw(strftime);
 
-use constant ACCESS_LOG        => '/yplom/log/proxy/access.log';
-use constant DATA_PATH         => '/yplom/data/proxy/';
-use constant PASS_PATH         => '/yplom/data/proxy/pass/';
-use constant ACCESS_PATH       => '/yplom/data/proxy/access/';
-use constant UNLOCK_PROXY_URL  => 'https://yplom.bicyclesonthemoon.info/proxy/unlock';
-use constant UNLOCK_PROXY_HOST => qr/^yplom\.bicyclesonthemoon\.info(:[0-9]*)?$/;
-use constant UNLOCK_PROXY_PATH => qr/^\/proxy\/unlock\/?$/;
+use constant ACCESS_LOG         => '/yplom/log/proxy/access.log';
+use constant DATA_PATH          => '/yplom/data/proxy/';
+use constant PASS_PATH          => '/yplom/data/proxy/pass/';
+use constant ACCESS_PATH        => '/yplom/data/proxy/access/';
+use constant UNLOCK_PROXY_URL   => 'http://yplom.bicyclesonthemoon.info/proxy/unlock';
+use constant UNLOCK_PROXY_URL_S => 'https://yplom.bicyclesonthemoon.info/proxy/unlock';
+use constant UNLOCK_PROXY_HOST  => qr/^yplom\.bicyclesonthemoon\.info(:[0-9]*)?$/;
+use constant UNLOCK_PROXY_PATH  => qr/^\/proxy\/unlock\/?$/;
+use constant TIMEOUT_UNLOCK => 90;
+use constant TIMEOUT_INACT  => 15;
 
 $accesstime = time();
+$timeout_unlock = TIMEOUT_UNLOCK*60;
+$timeout_inact = TIMEOUT_INACT*60;
 
 delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
 $ENV{'PATH'}='/usr/local/bin:/usr/bin:/bin';
@@ -19,9 +24,51 @@ if (($ENV{'HTTP_HOST'} =~ UNLOCK_PROXY_HOST) and ($ENV{'PATH_INFO'} =~ UNLOCK_PR
 	unlock();
 }
 else {
-	debag();
+	if(access()) {
+		debag();
+	}
+	else {
+		noaccess();
+	}
 }
 
+sub access { #kind of doubles the functionality of access.pl but for http
+	if($ENV{'HTTP_HOST'} =~ UNLOCK_PROXY_HOST){
+		return 1;
+	}
+	if ($ENV{'REMOTE_ADDR'} =~ /^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/) {
+		$IP = $1;
+		if ($IP eq '127.0.0.1') {
+			return 1;
+		}
+		$accesspath=ACCESS_PATH.$IP;
+		if (open ($accessfile,"<",$accesspath)) {
+			$unlocktime=<$accessfile>;
+			$lasttime=<$accessfile>;
+			close($accessfile);
+			$unlocktime =~ s/\n//g;
+			$lasttime =~ s/\n//g;
+			
+			if ((abs($accesstime-$unlocktime)>$timeout_unlock) or (abs($accesstime-$unlocktime)>$timeout_inact)){
+				unlink $accesspath;
+				return 0;
+			}
+			else {
+				if (open ($accessfile,">",$accesspath)) {
+					print $accessfile "$unlocktime\n$accesstime\n";
+					close ($accessfile);
+				}
+				return 1;
+			}
+		}
+		else {
+			return 0;
+		}
+	}
+	else {
+		return 0;
+	}
+}
 sub unlock {
 	if ($ENV{'REMOTE_ADDR'} =~ /^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/) {
 		$IP=$1;
@@ -80,7 +127,7 @@ sub unlock {
 	
 	$accesspath=ACCESS_PATH.$IP;
 	open ($accessfile,">",$accesspath) or return unlockpage("$accesspath","Status: 403 Forbidden\n");
-	print $accessfile "$accesstime\n$accesstime";
+	print $accessfile "$accesstime\n$accesstime\n";
 	close ($accessfile);
 	
 	return unlockedpage();
@@ -123,7 +170,7 @@ sub unlockpage {
 	if($message ne ''){
 		print $message;
 	}
-	print '<form method="post" action="'.UNLOCK_PROXY_URL.'">';
+	print '<form method="post" action="'.UNLOCK_PROXY_URL_S.'">';
 	print '<b>Username: </b><input type="text" name="username"><br>';
 	print '<b>Password: </b><input type="password" name="password"><br>';
 	print '<b>IP: </b><input type="text" name="ip" value="'.$IP.'"><br>';
@@ -154,6 +201,21 @@ sub unlockedpage {
 	print "</ul></body></html>\n";
 }
 
+sub noaccess {
+	print "Status: 403 Forbidden\n;";
+	print "Content-type: text/html\n\n";
+	print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "">';
+	print '<html lang="en"><head>';
+	print '<title>Proxy not unlocked</title>';
+	print '<meta http-equiv="Content-type" content="text/html; charset=UTF-8">';
+	print '</head><body>';
+	print '<h1>Proxy not unlocked</h1>';
+	print 'The proxy is not unlocked for your IP.<br>';
+	print 'Follow this link to unlock the proxy:<br>';
+	print '<a href="'.UNLOCK_PROXY_URL.'">'.UNLOCK_PROXY_URL.'</a>';
+	print "</body></html>\n";
+}
+
 sub debag {
 	print "Content-type: text/plain\n\n";
 	foreach $envk (keys %ENV) { 
-- 
2.30.2