First commit

2022-05-10 13:09:42 +02:00
commit 94daf6bb68
5 changed files with 437 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
 mynettcptable
 mynettcptable.conf
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,15 @@
 module mynettcptable
 go 1.17
 require (
 	github.com/go-ldap/ldap/v3 v3.4.3
 	github.com/peterbourgon/ff v1.7.1
 	github.com/tabalt/pidfile v1.1.0
 )
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
 	golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,27 @@
 github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e h1:ZU22z/2YRFLyf/P4ZwUYSdNCWsMEI0VeyrFoI2rAhJQ=
 github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
 github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.3 h1:JCKUtJPIcyOuG7ctGabLKMgIlKnGumD/iGjuWeEruDI=
 github.com/go-ldap/ldap/v3 v3.4.3/go.mod h1:7LdHfVt6iIOESVEe3Bs4Jp2sHEKgDeduAhgM1/f9qmo=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
 github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
 github.com/peterbourgon/ff v1.7.1 h1:xt1lxTG+Nr2+tFtysY7abFgPoH3Lug8CwYJMOmJRXhk=
 github.com/peterbourgon/ff v1.7.1/go.mod h1:fYI5YA+3RDqQRExmFbHnBjEeWzh9TrS8rnRpEq7XIg0=
 github.com/tabalt/pidfile v1.1.0 h1:Q7qQGZ4MoAXE+rvM5tB4/eAIrawewYewByhMiPoDE50=
 github.com/tabalt/pidfile v1.1.0/go.mod h1:7F1QwNrjfAApsuX4Nyah3RsbHVAdY/D9qZWp0nnJ/Uw=
 golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 h1:tkVvjkPTB7pnW3jnid7kNyAMPVWllTNOf/qKDze4p9o=
 golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/mynettcptable.conf.sample
+++ b/mynettcptable.conf.sample
@ -0,0 +1,7 @@
 listen-addr 0.0.0.0:8080
 ldap ldap://ldap.example.org
 ldapDN ou=mynetworks,dc=example,dc=org
 ldapUser cn=mynettcptable,ou=services,dc=example,dc=org
 ldapPass here_lies_the_password
 # networks cache refresh interval
 refresh 300
--- a/mynettcptable.go
+++ b/mynettcptable.go
@ -0,0 +1,384 @@
 // MyNetTCPTable is a postfix tcp_table service to check if a client IP is
 //   contained in LDAP, either in ipHostNumber or ipNetworkNumber form
 //
 // Copyright (c) 2022 yo000 <johan@nosd.in>
 //
 package main
 import (
 	"os"
 	"fmt"
 	"net"
 	"log"
 	"flag"
 	"sync"
 	"time"
 	"errors"
 	"strings"
 	"log/syslog"
 	"github.com/tabalt/pidfile"
 	"github.com/go-ldap/ldap/v3"
 	"github.com/peterbourgon/ff"
 )
 const (
 	version = "0.0.5"
 )
 var (
 	logstream   	*syslog.Writer
 	conLdap     	*ldap.Conn
 	mutex       	sync.Mutex
 	debug       	*bool
 	listen      	*string
 	ldapURL     	*string
 	ldapBaseDN  	*string
 	ldapUser    	*string
 	ldapPass    	*string
 	refreshInterval	*int
 	pidFilePath 	*string
 	timeout     	*int
 	netCache		[]NoAuthNet
 )
 type NoAuthNet struct {
 	Net					*net.IPNet
 	Present				bool
 }
 // Test if a net is present in cache, and set "Present" flag to true
 //   Flag is necessary when reviewing cache content
 func checkNetCacheContainsAndFlag(ipnet *net.IPNet) bool {
 	for _, n := range netCache {
 		if strings.EqualFold(ipnet.String(), n.Net.String()) {
 			n.Present = true
 			return true
 		}
 	}
 	return false
 }
 // Remove all items with Present = false
 func clearNetCache() {
 	// Manually manage loop index so we won't pass over the item following a deleted one
 	i := 0
 	for {
 		if i >= len(netCache) {
 			break
 		}
 		n := netCache[i]
 		if n.Present == false {
 			logstream.Debug(fmt.Sprintf("Delete %s from netCache\n", n.Net.String()))
 			// Nil the pointer to avoid memory leak
 			n.Net = nil
 			if i+1 < len(netCache) {
 				netCache = append(netCache[:i], netCache[i+1:]...)
 			} else {
 				netCache = netCache[:i]
 			}
 			i--
 		}
 		i++
 	}
 }
 // Flag all items as "Present = false"
 func unsetNetCachePresentFlag() {
 	for _, n := range netCache {
 		n.Present = false
 	}
 }
 func buildNetCacheFromIPNetwork(conLdap *ldap.Conn) error {
 	attribute := "ipNetworkNumber"
 	filter := "(objectClass=ipNetwork)"
 	searchReq := ldap.NewSearchRequest(*ldapBaseDN, ldap.ScopeWholeSubtree, 0, 0, 0,
 		false, filter, []string{attribute}, []ldap.Control{})
 	result, err := searchLdap(searchReq, 0)
 	if err != nil {
 		logstream.Err(fmt.Sprintf("Error searching %s into LDAP: %v\n", filter, err))
 		return err
 	}
 	if *debug {
 		logstream.Debug(fmt.Sprintf("Received %d results to ipNetwork query\n", len(result.Entries)))
 	}
 	// First flag off all elements of netCache
 	unsetNetCachePresentFlag()
 	for _, r := range result.Entries {
 		if len(r.Attributes) == 0 {
 			logstream.Info(fmt.Sprintf("Error searching into LDAP: Attribute %s not found for entry %s\n", attribute, r))
 			continue
 		} else {
 			// Explode the network to individual IPs
 			// 1: Verify format : Either CIDR, or netmask is in ipNetworkMask (do we want to support this?)
 			// 2: n := iplib.NewNet4(net.ParseIP("192.168.0.0"), 16)
 			//    n.Enumerate(
 			_, ipnet, err := net.ParseCIDR(r.Attributes[0].Values[0])
 			if err != nil {
 				logstream.Info(err.Error())
 				continue
 			}
 			if false == checkNetCacheContainsAndFlag(ipnet) {
 				netCache = append(netCache, NoAuthNet{ Net: ipnet, Present: true })
 			}
 		}
 	}
 	// Finally delete items not previously accessed
 	clearNetCache()
 	logstream.Err("Dump netcache:")
 	for _, n := range netCache {
 		logstream.Err(fmt.Sprintf("%s", n.Net.String()))
 	}
 	return nil
 }
 func isIPContainedInNetCache(string_ip string) (bool, error) {
 	ip := net.ParseIP(string_ip)
 	if ip == nil {
 		return false, errors.New(fmt.Sprintf("Invalid IP: %s", string_ip))
 	}
 	for _, n := range netCache {
 		if n.Net.Contains(ip) {
 			return true, nil
 		}
 	}
 	return false, nil
 }
 // Handle incoming request
 func handleConnection(connClt net.Conn, conLdap *ldap.Conn) {
 	buf := make([]byte, 1024)
 	// TODO : Maybe keep it open and process following requests? See "warning: read TCP map reply from srv-ldap:8080: unexpected EOF (Application error)"	
 	// Close client connection when this function ends
 	defer func() {
 		logstream.Debug("Closing connection")
 		connClt.Close()
 	}()
 	timeoutDuration := time.Duration(*timeout) * time.Second
 	for {
 		// Set a deadline for reading. Read operation will fail if no data
 		// is received after deadline.
 		connClt.SetReadDeadline(time.Now().Add(timeoutDuration))
 		readlen, err := connClt.Read(buf)
 		if err != nil {
 			// 10/05/2022 : Drop this conn if client closed connection or timeout occured
 			// Dont notice if client closed connection
 			if err.Error() != "EOF" && !strings.HasSuffix(err.Error(), "i/o timeout") {
 				logstream.Err(fmt.Sprintf("Error reading connection: %v\n", err.Error()))
 			}
 			//sendResponse(connClt, err.Error(), 500)
 			//continue
 			return
 		}
 		logstream.Debug(fmt.Sprintf("Read: %s\n", string(buf[:readlen-1])))
 		if strings.EqualFold(string(buf[:readlen-1]), "quit") {
 			if *debug {
 				logstream.Debug("Received quit instruction, buhbye")
 			}
 			connClt.Close()
 			return
 		}
 		// "refresh" sent on listening port will refresh netCache from LDAP
 		if strings.EqualFold(string(buf[:readlen-1]), "refresh") {
 			if *debug {
 				logstream.Debug("Received refresh instruction, refreshing netCache")
 			}
 			buildNetCacheFromIPNetwork(conLdap)
 			sendResponse(connClt, "Refreshing cache", 200)
 			continue
 		}
 		// Get IP sent by postfix
 		// tcp_table request is formated like "get the_ip\n"
 		if false == strings.HasPrefix(string(buf[:readlen-1]), "get ") {
 			sendResponse(connClt, fmt.Sprintf("Invalid request: %s", buf[:readlen-1]), 500)
 			continue
 		}
 		ip := string(buf[4:readlen-1])
 		// First query netCache built with ipNetworkNumber
 		res, err := isIPContainedInNetCache(ip)
 		if err != nil {
 			logstream.Err(err.Error())
 			sendResponse(connClt, err.Error(), 500)
 			continue
 		}
 		// IP is allowed, return the IP with code 200
 		if res == true {
 			sendResponse(connClt, ip, 200)
 			continue
 		}
 		// Then, if no result, query LDAP for exact IP		
 		filter := fmt.Sprintf("(ipHostNumber=%s)", ldap.EscapeFilter(ip))
 		searchReq := ldap.NewSearchRequest(*ldapBaseDN, ldap.ScopeWholeSubtree, 0, 0, 0,
 			false, filter, []string{"ipHostNumber"}, []ldap.Control{})
 		result, err := searchLdap(searchReq, 0)
 		if err != nil {
 			logstream.Err(fmt.Sprintf("Error searching into LDAP: %v\n", err))
 			sendResponse(connClt, err.Error(), 500)
 			continue
 		}
 		if len(result.Entries) < 1 {
 			s := "IP not authorized"
 			sendResponse(connClt, s, 500)
 			continue
 		}
 		if len(result.Entries) > 1 {
 			logstream.Info(fmt.Sprintf("More than one match for IP %s", ip))
 		}
 		sendResponse(connClt, ip, 200)
 	}
 }
 func sendResponse(con net.Conn, respMsg string, respCode int) error {
 	response := fmt.Sprintf("%d %s\n", respCode, strings.Replace(respMsg, " ", "%20", -1))
 	_, err := con.Write([]byte(response))
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func searchLdap(searchReq *ldap.SearchRequest, attempt int) (*ldap.SearchResult, error) {
 	mutex.Lock()
 	result, err := conLdap.Search(searchReq)
 	mutex.Unlock()
 	// Let's just manage connection errors here
 	if err != nil && strings.HasSuffix(err.Error(), "ldap: connection closed") {
 		logstream.Err("LDAP connection closed, retrying")
 		mutex.Lock()
 		conLdap.Close()
 		conLdap, err = connectLdap()
 		mutex.Unlock()
 		if err != nil {
 			return result, err
 		} else {
 			attempt = attempt + 1
 			return searchLdap(searchReq, attempt)
 		}
 	}
 	return result, err
 }
 func connectLdap() (*ldap.Conn, error) {
 	var err error
 	conLdap, err = ldap.DialURL(*ldapURL)
 	if err != nil {
 		logstream.Err(fmt.Sprintf("Error dialing LDAP on %s: %v\n", *ldapURL, err))
 		return conLdap, err
 	}
 	err = conLdap.Bind(*ldapUser, *ldapPass)
 	if err != nil {
 		logstream.Err(fmt.Sprintln("Error binding LDAP: ", err))
 		return conLdap, err
 	}
 	return conLdap, err
 }
 // TODO : buildNetCache should have its own LDAP connection
 func periodicallyUpdateCache(conLdap *ldap.Conn) {
 	// On initialise immediatement le cache
 	buildNetCacheFromIPNetwork(conLdap)
 	for range time.Tick(time.Second * time.Duration(*refreshInterval)) {
 		buildNetCacheFromIPNetwork(conLdap)
 	}
 }
 func run() {
 	logstream.Info("start")
 	defer logstream.Info("exit")
 	listener, err := net.Listen("tcp", *listen)
 	if err != nil {
 		log.Fatal(fmt.Sprintf("Error listening on %s: %v\n", *listen, err))
 	}
 	conLdap, err := connectLdap()
 	if err != nil {
 		return
 	}
 	go periodicallyUpdateCache(conLdap)
 	// Spawn a go routine for incoming connection
 	for {
 		connClt, err := listener.Accept()
 		if err != nil {
 			logstream.Err(fmt.Sprintln("Error accepting: ", err))
 		}
 		go handleConnection(connClt, conLdap)
 	}
 	conLdap.Close()
 }
 func main() {
 	var e error
 	fs := flag.NewFlagSet("mxrouter", flag.ExitOnError)
 	listen = fs.String("listen-addr", "127.0.0.1:8080", "listen address for server (also via LISTEN env var)")
 	debug = fs.Bool("debug", false, "log debug information (also via DEBUG env var)")
 	ldapURL = fs.String("ldap", "", "LDAP Server URL (also via LDAP env var)")
 	ldapBaseDN = fs.String("ldapDN", "", "LDAP base DN (also via LDAPDN env var)")
 	ldapUser = fs.String("ldapUser", "", "LDAP user DN (also via LDAPUSER env var)")
 	ldapPass = fs.String("ldapPass", "", "LDAP user password (also via LDAPPASS env var)")
 	pidFilePath = fs.String("pidfile", "/var/run/mynettcptable/mynettcptable.pid", "PID File (also via PIDFILE env var)")
 	refreshInterval = fs.Int("refresh", 300, "Net cache update interval in seconds")
 	timeout = fs.Int("timeout", 5, "timeout in seconds")
 	_ = fs.String("config", "", "config file (optional)")
 	// Surcharge de la fonction Usage()
 	fs.Usage = func() {
 		fmt.Fprintf(flag.CommandLine.Output(), "%s version %s\n", os.Args[0], version)
 		fmt.Fprintf(flag.CommandLine.Output(), "Usage:\n")
 		fs.PrintDefaults()
 	}
 	ff.Parse(fs, os.Args[1:], ff.WithEnvVarNoPrefix(), ff.WithConfigFileFlag("config"), ff.WithConfigFileParser(ff.PlainParser))
 	if len(*ldapURL) == 0 || len(*ldapBaseDN) == 0 || len(*ldapUser) == 0 || len(*ldapPass) == 0 {
 		fs.Usage()
 		return
 	}
 	fmt.Printf("MyNetTCPTable v.%s\n", version)
 	if pid, err := pidfile.Create(*pidFilePath); err != nil {
 		log.Fatal(err)
 	} else {
 		defer pid.Clear()
 	}
 	flags := syslog.LOG_MAIL
 	if *debug {
 		fmt.Printf("Set logging level to DEBUG\n")
 		flags = syslog.LOG_MAIL|syslog.LOG_DEBUG
 	}
 	if logstream, e = syslog.New(flags, "mynettcptable"); e != nil {
 		log.Fatal(e)
 	}
 	defer logstream.Close()
 	fmt.Printf("Start listening for incoming connections on %s\n", *listen)
 	run()
 }