First commit

This commit is contained in:
yo
2022-05-10 13:09:42 +02:00
commit 94daf6bb68
5 changed files with 437 additions and 0 deletions
+384
View File
@@ -0,0 +1,384 @@
// MyNetTCPTable is a postfix tcp_table service to check if a client IP is
// contained in LDAP, either in ipHostNumber or ipNetworkNumber form
//
// Copyright (c) 2022 yo000 <johan@nosd.in>
//
package main
import (
"os"
"fmt"
"net"
"log"
"flag"
"sync"
"time"
"errors"
"strings"
"log/syslog"
"github.com/tabalt/pidfile"
"github.com/go-ldap/ldap/v3"
"github.com/peterbourgon/ff"
)
const (
version = "0.0.5"
)
var (
logstream *syslog.Writer
conLdap *ldap.Conn
mutex sync.Mutex
debug *bool
listen *string
ldapURL *string
ldapBaseDN *string
ldapUser *string
ldapPass *string
refreshInterval *int
pidFilePath *string
timeout *int
netCache []NoAuthNet
)
type NoAuthNet struct {
Net *net.IPNet
Present bool
}
// Test if a net is present in cache, and set "Present" flag to true
// Flag is necessary when reviewing cache content
func checkNetCacheContainsAndFlag(ipnet *net.IPNet) bool {
for _, n := range netCache {
if strings.EqualFold(ipnet.String(), n.Net.String()) {
n.Present = true
return true
}
}
return false
}
// Remove all items with Present = false
func clearNetCache() {
// Manually manage loop index so we won't pass over the item following a deleted one
i := 0
for {
if i >= len(netCache) {
break
}
n := netCache[i]
if n.Present == false {
logstream.Debug(fmt.Sprintf("Delete %s from netCache\n", n.Net.String()))
// Nil the pointer to avoid memory leak
n.Net = nil
if i+1 < len(netCache) {
netCache = append(netCache[:i], netCache[i+1:]...)
} else {
netCache = netCache[:i]
}
i--
}
i++
}
}
// Flag all items as "Present = false"
func unsetNetCachePresentFlag() {
for _, n := range netCache {
n.Present = false
}
}
func buildNetCacheFromIPNetwork(conLdap *ldap.Conn) error {
attribute := "ipNetworkNumber"
filter := "(objectClass=ipNetwork)"
searchReq := ldap.NewSearchRequest(*ldapBaseDN, ldap.ScopeWholeSubtree, 0, 0, 0,
false, filter, []string{attribute}, []ldap.Control{})
result, err := searchLdap(searchReq, 0)
if err != nil {
logstream.Err(fmt.Sprintf("Error searching %s into LDAP: %v\n", filter, err))
return err
}
if *debug {
logstream.Debug(fmt.Sprintf("Received %d results to ipNetwork query\n", len(result.Entries)))
}
// First flag off all elements of netCache
unsetNetCachePresentFlag()
for _, r := range result.Entries {
if len(r.Attributes) == 0 {
logstream.Info(fmt.Sprintf("Error searching into LDAP: Attribute %s not found for entry %s\n", attribute, r))
continue
} else {
// Explode the network to individual IPs
// 1: Verify format : Either CIDR, or netmask is in ipNetworkMask (do we want to support this?)
// 2: n := iplib.NewNet4(net.ParseIP("192.168.0.0"), 16)
// n.Enumerate(
_, ipnet, err := net.ParseCIDR(r.Attributes[0].Values[0])
if err != nil {
logstream.Info(err.Error())
continue
}
if false == checkNetCacheContainsAndFlag(ipnet) {
netCache = append(netCache, NoAuthNet{ Net: ipnet, Present: true })
}
}
}
// Finally delete items not previously accessed
clearNetCache()
logstream.Err("Dump netcache:")
for _, n := range netCache {
logstream.Err(fmt.Sprintf("%s", n.Net.String()))
}
return nil
}
func isIPContainedInNetCache(string_ip string) (bool, error) {
ip := net.ParseIP(string_ip)
if ip == nil {
return false, errors.New(fmt.Sprintf("Invalid IP: %s", string_ip))
}
for _, n := range netCache {
if n.Net.Contains(ip) {
return true, nil
}
}
return false, nil
}
// Handle incoming request
func handleConnection(connClt net.Conn, conLdap *ldap.Conn) {
buf := make([]byte, 1024)
// TODO : Maybe keep it open and process following requests? See "warning: read TCP map reply from srv-ldap:8080: unexpected EOF (Application error)"
// Close client connection when this function ends
defer func() {
logstream.Debug("Closing connection")
connClt.Close()
}()
timeoutDuration := time.Duration(*timeout) * time.Second
for {
// Set a deadline for reading. Read operation will fail if no data
// is received after deadline.
connClt.SetReadDeadline(time.Now().Add(timeoutDuration))
readlen, err := connClt.Read(buf)
if err != nil {
// 10/05/2022 : Drop this conn if client closed connection or timeout occured
// Dont notice if client closed connection
if err.Error() != "EOF" && !strings.HasSuffix(err.Error(), "i/o timeout") {
logstream.Err(fmt.Sprintf("Error reading connection: %v\n", err.Error()))
}
//sendResponse(connClt, err.Error(), 500)
//continue
return
}
logstream.Debug(fmt.Sprintf("Read: %s\n", string(buf[:readlen-1])))
if strings.EqualFold(string(buf[:readlen-1]), "quit") {
if *debug {
logstream.Debug("Received quit instruction, buhbye")
}
connClt.Close()
return
}
// "refresh" sent on listening port will refresh netCache from LDAP
if strings.EqualFold(string(buf[:readlen-1]), "refresh") {
if *debug {
logstream.Debug("Received refresh instruction, refreshing netCache")
}
buildNetCacheFromIPNetwork(conLdap)
sendResponse(connClt, "Refreshing cache", 200)
continue
}
// Get IP sent by postfix
// tcp_table request is formated like "get the_ip\n"
if false == strings.HasPrefix(string(buf[:readlen-1]), "get ") {
sendResponse(connClt, fmt.Sprintf("Invalid request: %s", buf[:readlen-1]), 500)
continue
}
ip := string(buf[4:readlen-1])
// First query netCache built with ipNetworkNumber
res, err := isIPContainedInNetCache(ip)
if err != nil {
logstream.Err(err.Error())
sendResponse(connClt, err.Error(), 500)
continue
}
// IP is allowed, return the IP with code 200
if res == true {
sendResponse(connClt, ip, 200)
continue
}
// Then, if no result, query LDAP for exact IP
filter := fmt.Sprintf("(ipHostNumber=%s)", ldap.EscapeFilter(ip))
searchReq := ldap.NewSearchRequest(*ldapBaseDN, ldap.ScopeWholeSubtree, 0, 0, 0,
false, filter, []string{"ipHostNumber"}, []ldap.Control{})
result, err := searchLdap(searchReq, 0)
if err != nil {
logstream.Err(fmt.Sprintf("Error searching into LDAP: %v\n", err))
sendResponse(connClt, err.Error(), 500)
continue
}
if len(result.Entries) < 1 {
s := "IP not authorized"
sendResponse(connClt, s, 500)
continue
}
if len(result.Entries) > 1 {
logstream.Info(fmt.Sprintf("More than one match for IP %s", ip))
}
sendResponse(connClt, ip, 200)
}
}
func sendResponse(con net.Conn, respMsg string, respCode int) error {
response := fmt.Sprintf("%d %s\n", respCode, strings.Replace(respMsg, " ", "%20", -1))
_, err := con.Write([]byte(response))
if err != nil {
return err
}
return nil
}
func searchLdap(searchReq *ldap.SearchRequest, attempt int) (*ldap.SearchResult, error) {
mutex.Lock()
result, err := conLdap.Search(searchReq)
mutex.Unlock()
// Let's just manage connection errors here
if err != nil && strings.HasSuffix(err.Error(), "ldap: connection closed") {
logstream.Err("LDAP connection closed, retrying")
mutex.Lock()
conLdap.Close()
conLdap, err = connectLdap()
mutex.Unlock()
if err != nil {
return result, err
} else {
attempt = attempt + 1
return searchLdap(searchReq, attempt)
}
}
return result, err
}
func connectLdap() (*ldap.Conn, error) {
var err error
conLdap, err = ldap.DialURL(*ldapURL)
if err != nil {
logstream.Err(fmt.Sprintf("Error dialing LDAP on %s: %v\n", *ldapURL, err))
return conLdap, err
}
err = conLdap.Bind(*ldapUser, *ldapPass)
if err != nil {
logstream.Err(fmt.Sprintln("Error binding LDAP: ", err))
return conLdap, err
}
return conLdap, err
}
// TODO : buildNetCache should have its own LDAP connection
func periodicallyUpdateCache(conLdap *ldap.Conn) {
// On initialise immediatement le cache
buildNetCacheFromIPNetwork(conLdap)
for range time.Tick(time.Second * time.Duration(*refreshInterval)) {
buildNetCacheFromIPNetwork(conLdap)
}
}
func run() {
logstream.Info("start")
defer logstream.Info("exit")
listener, err := net.Listen("tcp", *listen)
if err != nil {
log.Fatal(fmt.Sprintf("Error listening on %s: %v\n", *listen, err))
}
conLdap, err := connectLdap()
if err != nil {
return
}
go periodicallyUpdateCache(conLdap)
// Spawn a go routine for incoming connection
for {
connClt, err := listener.Accept()
if err != nil {
logstream.Err(fmt.Sprintln("Error accepting: ", err))
}
go handleConnection(connClt, conLdap)
}
conLdap.Close()
}
func main() {
var e error
fs := flag.NewFlagSet("mxrouter", flag.ExitOnError)
listen = fs.String("listen-addr", "127.0.0.1:8080", "listen address for server (also via LISTEN env var)")
debug = fs.Bool("debug", false, "log debug information (also via DEBUG env var)")
ldapURL = fs.String("ldap", "", "LDAP Server URL (also via LDAP env var)")
ldapBaseDN = fs.String("ldapDN", "", "LDAP base DN (also via LDAPDN env var)")
ldapUser = fs.String("ldapUser", "", "LDAP user DN (also via LDAPUSER env var)")
ldapPass = fs.String("ldapPass", "", "LDAP user password (also via LDAPPASS env var)")
pidFilePath = fs.String("pidfile", "/var/run/mynettcptable/mynettcptable.pid", "PID File (also via PIDFILE env var)")
refreshInterval = fs.Int("refresh", 300, "Net cache update interval in seconds")
timeout = fs.Int("timeout", 5, "timeout in seconds")
_ = fs.String("config", "", "config file (optional)")
// Surcharge de la fonction Usage()
fs.Usage = func() {
fmt.Fprintf(flag.CommandLine.Output(), "%s version %s\n", os.Args[0], version)
fmt.Fprintf(flag.CommandLine.Output(), "Usage:\n")
fs.PrintDefaults()
}
ff.Parse(fs, os.Args[1:], ff.WithEnvVarNoPrefix(), ff.WithConfigFileFlag("config"), ff.WithConfigFileParser(ff.PlainParser))
if len(*ldapURL) == 0 || len(*ldapBaseDN) == 0 || len(*ldapUser) == 0 || len(*ldapPass) == 0 {
fs.Usage()
return
}
fmt.Printf("MyNetTCPTable v.%s\n", version)
if pid, err := pidfile.Create(*pidFilePath); err != nil {
log.Fatal(err)
} else {
defer pid.Clear()
}
flags := syslog.LOG_MAIL
if *debug {
fmt.Printf("Set logging level to DEBUG\n")
flags = syslog.LOG_MAIL|syslog.LOG_DEBUG
}
if logstream, e = syslog.New(flags, "mynettcptable"); e != nil {
log.Fatal(e)
}
defer logstream.Close()
fmt.Printf("Start listening for incoming connections on %s\n", *listen)
run()
}