/*
* Copyright (c) Contributors, http://opensimulator.org/
* See CONTRIBUTORS.TXT for a full list of copyright holders.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* * Neither the name of the OpenSimulator Project nor the
* names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using Nini.Config;
using log4net;
using OpenSim.Framework;
using OpenSim.Services.Interfaces;
using OpenSim.Region.Framework.Interfaces;
using OpenSim.Region.Framework.Scenes;
using OpenMetaverse;
using GridRegion = OpenSim.Services.Interfaces.GridRegion;
using System.Net;
using System.Net.Security;
namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
{
public class AuthorizationService : IAuthorizationService
{
private enum AccessFlags
{
None = 0, /* No restrictions */
DisallowResidents = 1, /* Only gods and managers*/
DisallowForeigners = 2, /* Only local people */
AllowLocalAndFriendlyHG = 3, /* Only local and friendly people */
}
private static readonly ILog m_log =
LogManager.GetLogger(
MethodBase.GetCurrentMethod().DeclaringType);
private IUserManagement m_UserManagement;
// private IGridService m_GridService;
private Scene m_Scene;
AccessFlags m_accessValue = AccessFlags.None;
String m_serverURL = "";
public static void InitiateSSLTrust()
{
try
{
//Change SSL checks so that all checks pass
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate{ return true; });
ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true;
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
int m_lastListRefresh = 0;
string m_cachedList = "";
private string getAccessList()
{
Int32 _currentUnixTime = (Int32)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds;
if((m_lastListRefresh + 60) < _currentUnixTime)
{
try
{
WebClient _client = new WebClient();
m_cachedList = _client.DownloadString(m_serverURL + m_Scene.RegionInfo.RegionID.ToString());
m_lastListRefresh = _currentUnixTime;
return m_cachedList;
}
catch (Exception _error)
{
m_log.Error("[AuthorizationService]: Cant fetch global HG access list!");
Console.WriteLine(_error.Message);
}
return "";
}
else
{
return m_cachedList;
}
}
private bool checkRemoteAccessList(string entry)
{
InitiateSSLTrust();
string _accessList = getAccessList();
if(_accessList != null)
{
entry = entry.Replace("http:", "");
entry = entry.Replace("https:", "");
entry = entry.Replace("/", "");
if (_accessList.Contains(entry))
return true;
}
return false;
}
public AuthorizationService(IConfig config, Scene scene)
{
m_Scene = scene;
m_UserManagement = scene.RequestModuleInterface<IUserManagement>();
// m_GridService = scene.GridService;
if (config != null)
{
string accessStr = config.GetString("Region_ALL", String.Empty);
accessStr = config.GetString("Region_" + scene.RegionInfo.RegionName.Replace(' ', '_'), accessStr);
m_serverURL = config.GetString("GridWideAccessList", "https://mcp.4creative.net/?api=getAccessList®ion=");
if (accessStr != string.Empty)
{
try
{
m_accessValue = (AccessFlags)Enum.Parse(typeof(AccessFlags), accessStr);
}
catch (ArgumentException)
{
m_log.WarnFormat("[AuthorizationService]: {0} is not a valid access flag", accessStr);
}
}
m_log.DebugFormat("[AuthorizationService]: Region {0} access restrictions: {1}", m_Scene.RegionInfo.RegionName, m_accessValue);
}
}
public bool IsAuthorizedForRegion(
string user, string firstName, string lastName, string regionID, out string message)
{
// This should not happen
if (m_Scene.RegionInfo.RegionID.ToString() != regionID)
{
m_log.WarnFormat("[AuthorizationService]: Service for region {0} received request to authorize for region {1}", m_Scene.RegionInfo.RegionID, regionID);
message = string.Format("Region {0} received request to authorize for region {1}", m_Scene.RegionInfo.RegionID, regionID);
return false;
}
if (m_accessValue == AccessFlags.None)
{
message = "Authorized";
return true;
}
UUID userID = new UUID(user);
if (m_accessValue == AccessFlags.DisallowForeigners)
{
if (!m_UserManagement.IsLocalGridUser(userID))
{
message = "No foreign users allowed in this region";
return false;
}
}
if (m_accessValue == AccessFlags.DisallowResidents)
{
if (!(m_Scene.Permissions.IsGod(userID) || m_Scene.Permissions.IsAdministrator(userID)))
{
message = "Only Admins and Managers allowed in this region";
return false;
}
}
if (m_accessValue == AccessFlags.AllowLocalAndFriendlyHG)
{
if (m_UserManagement.IsLocalGridUser(userID))
{
message = "All local users are allowed.";
return true;
}
if ((m_Scene.Permissions.IsGod(userID) || m_Scene.Permissions.IsAdministrator(userID)))
{
message = "Estate administrators are allways allowed.";
return true;
}
foreach (ILandObject _parcel in m_Scene.LandChannel.AllParcels())
{
if (_parcel.IsInLandAccessList(userID))
{
message = "Parcel members are allways allowed.";
return true;
}
}
if (!m_UserManagement.IsLocalGridUser(userID))
{
String _homeURL = m_UserManagement.GetUserHomeURL(userID);
if (checkRemoteAccessList("gridblacklist:" + _homeURL))
{
message = "You dont have access to this region.";
return false;
}
if (checkRemoteAccessList("userblacklist:" + user + "@" + _homeURL))
{
message = "You dont have access to this region.";
return false;
}
if (checkRemoteAccessList("grid:" + _homeURL))
{
message = "Grid whitelist.";
return true;
}
if (checkRemoteAccessList("user:" + user + "@" + _homeURL))
{
message = "User whitelist";
return true;
}
}
message = "You dont have access to this region.";
return false;
}
message = "Authorized";
return true;
}
}
}