/* * Copyright (c) Contributors, http://opensimulator.org/ * See CONTRIBUTORS.TXT for a full list of copyright holders. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * Neither the name of the OpenSimulator Project nor the * names of its contributors may be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ using System; using System.Collections.Generic; using System.Linq; using System.Reflection; using Nini.Config; using log4net; using OpenSim.Framework; using OpenSim.Services.Interfaces; using OpenSim.Region.Framework.Interfaces; using OpenSim.Region.Framework.Scenes; using OpenMetaverse; using GridRegion = OpenSim.Services.Interfaces.GridRegion; using System.Net; using System.Net.Security; namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization { public class AuthorizationService : IAuthorizationService { private enum AccessFlags { None = 0, /* No restrictions */ DisallowResidents = 1, /* Only gods and managers*/ DisallowForeigners = 2, /* Only local people */ AllowLocalAndFriendlyHG = 3, /* Only local and friendly people */ } private static readonly ILog m_log = LogManager.GetLogger( MethodBase.GetCurrentMethod().DeclaringType); private IUserManagement m_UserManagement; // private IGridService m_GridService; private Scene m_Scene; AccessFlags m_accessValue = AccessFlags.None; String m_serverURL = ""; public static void InitiateSSLTrust() { try { //Change SSL checks so that all checks pass ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate{ return true; }); ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true; } catch (Exception ex) { Console.WriteLine(ex.Message); } } int m_lastListRefresh = 0; string m_cachedList = ""; private string getAccessList() { Int32 _currentUnixTime = (Int32)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds; if((m_lastListRefresh + 60) < _currentUnixTime) { try { WebClient _client = new WebClient(); m_cachedList = _client.DownloadString(m_serverURL + m_Scene.RegionInfo.RegionID.ToString()); m_lastListRefresh = _currentUnixTime; return m_cachedList; } catch (Exception _error) { m_log.Error("[AuthorizationService]: Cant fetch global HG access list!"); Console.WriteLine(_error.Message); } return ""; } else { return m_cachedList; } } private bool checkRemoteAccessList(string entry) { InitiateSSLTrust(); string _accessList = getAccessList(); if(_accessList != null) { entry = entry.Replace("http:", ""); entry = entry.Replace("https:", ""); entry = entry.Replace("/", ""); if (_accessList.Contains(entry)) return true; } return false; } public AuthorizationService(IConfig config, Scene scene) { m_Scene = scene; m_UserManagement = scene.RequestModuleInterface(); // m_GridService = scene.GridService; if (config != null) { string accessStr = config.GetString("Region_ALL", String.Empty); accessStr = config.GetString("Region_" + scene.RegionInfo.RegionName.Replace(' ', '_'), accessStr); m_serverURL = config.GetString("GridWideAccessList", "https://mcp.4creative.net/?api=getAccessList®ion="); if (accessStr != string.Empty) { try { m_accessValue = (AccessFlags)Enum.Parse(typeof(AccessFlags), accessStr); } catch (ArgumentException) { m_log.WarnFormat("[AuthorizationService]: {0} is not a valid access flag", accessStr); } } m_log.DebugFormat("[AuthorizationService]: Region {0} access restrictions: {1}", m_Scene.RegionInfo.RegionName, m_accessValue); } } public bool IsAuthorizedForRegion( string user, string firstName, string lastName, string regionID, out string message) { // This should not happen //if (m_Scene.RegionInfo.RegionID.ToString() != regionID) //{ //m_log.WarnFormat("[AuthorizationService]: Service for region {0} received request to authorize for region {1}", m_Scene.RegionInfo.RegionID, regionID); //message = string.Format("Region {0} received request to authorize for region {1}", m_Scene.RegionInfo.RegionID, regionID); //return false; //} if (m_accessValue == AccessFlags.None) { message = "Authorized"; return true; } UUID userID = new UUID(user); if (m_accessValue == AccessFlags.DisallowForeigners) { if (!m_UserManagement.IsLocalGridUser(userID)) { message = "No foreign users allowed in this region"; return false; } } if (m_accessValue == AccessFlags.DisallowResidents) { if (!(m_Scene.Permissions.IsGod(userID) || m_Scene.Permissions.IsAdministrator(userID))) { message = "Only Admins and Managers allowed in this region"; return false; } } if (m_accessValue == AccessFlags.AllowLocalAndFriendlyHG) { if (m_UserManagement.IsLocalGridUser(userID)) { message = "All local users are allowed."; return true; } if ((m_Scene.Permissions.IsGod(userID) || m_Scene.Permissions.IsAdministrator(userID))) { message = "Estate administrators are allways allowed."; return true; } foreach (ILandObject _parcel in m_Scene.LandChannel.AllParcels()) { if (_parcel.IsInLandAccessList(userID)) { message = "Parcel members are allways allowed."; return true; } } if (!m_UserManagement.IsLocalGridUser(userID)) { String _homeURL = m_UserManagement.GetUserHomeURL(userID); if (checkRemoteAccessList("gridblacklist:" + _homeURL)) { message = "You dont have access to this region."; return false; } if (checkRemoteAccessList("userblacklist:" + user + "@" + _homeURL)) { message = "You dont have access to this region."; return false; } if (checkRemoteAccessList("grid:" + _homeURL)) { message = "Grid whitelist."; return true; } if (checkRemoteAccessList("user:" + user + "@" + _homeURL)) { message = "User whitelist"; return true; } } message = "You dont have access to this region."; return false; } message = "Authorized"; return true; } } }