256 lines
9.4 KiB
C#
256 lines
9.4 KiB
C#
/*
|
|
* Copyright (c) Contributors, http://opensimulator.org/
|
|
* See CONTRIBUTORS.TXT for a full list of copyright holders.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
* * Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* * Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* * Neither the name of the OpenSimulator Project nor the
|
|
* names of its contributors may be used to endorse or promote products
|
|
* derived from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY
|
|
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
* DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
|
|
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.Linq;
|
|
using System.Reflection;
|
|
using Nini.Config;
|
|
using log4net;
|
|
using OpenSim.Framework;
|
|
using OpenSim.Services.Interfaces;
|
|
using OpenSim.Region.Framework.Interfaces;
|
|
using OpenSim.Region.Framework.Scenes;
|
|
using OpenMetaverse;
|
|
|
|
using GridRegion = OpenSim.Services.Interfaces.GridRegion;
|
|
using System.Net;
|
|
using System.Net.Security;
|
|
|
|
namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization
|
|
{
|
|
public class AuthorizationService : IAuthorizationService
|
|
{
|
|
private enum AccessFlags
|
|
{
|
|
None = 0, /* No restrictions */
|
|
DisallowResidents = 1, /* Only gods and managers*/
|
|
DisallowForeigners = 2, /* Only local people */
|
|
AllowLocalAndFriendlyHG = 3, /* Only local and friendly people */
|
|
}
|
|
|
|
private static readonly ILog m_log =
|
|
LogManager.GetLogger(
|
|
MethodBase.GetCurrentMethod().DeclaringType);
|
|
|
|
private IUserManagement m_UserManagement;
|
|
// private IGridService m_GridService;
|
|
|
|
private Scene m_Scene;
|
|
AccessFlags m_accessValue = AccessFlags.None;
|
|
String m_serverURL = "";
|
|
|
|
public static void InitiateSSLTrust()
|
|
{
|
|
try
|
|
{
|
|
//Change SSL checks so that all checks pass
|
|
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate{ return true; });
|
|
ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true;
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
Console.WriteLine(ex.Message);
|
|
}
|
|
}
|
|
|
|
int m_lastListRefresh = 0;
|
|
string m_cachedList = "";
|
|
|
|
private string getAccessList()
|
|
{
|
|
Int32 _currentUnixTime = (Int32)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds;
|
|
|
|
if((m_lastListRefresh + 60) < _currentUnixTime)
|
|
{
|
|
try
|
|
{
|
|
WebClient _client = new WebClient();
|
|
m_cachedList = _client.DownloadString(m_serverURL + m_Scene.RegionInfo.RegionID.ToString());
|
|
m_lastListRefresh = _currentUnixTime;
|
|
return m_cachedList;
|
|
}
|
|
catch (Exception _error)
|
|
{
|
|
m_log.Error("[AuthorizationService]: Cant fetch global HG access list!");
|
|
Console.WriteLine(_error.Message);
|
|
}
|
|
|
|
return "";
|
|
}
|
|
else
|
|
{
|
|
return m_cachedList;
|
|
}
|
|
}
|
|
|
|
private bool checkRemoteAccessList(string entry)
|
|
{
|
|
InitiateSSLTrust();
|
|
|
|
string _accessList = getAccessList();
|
|
|
|
if(_accessList != null)
|
|
{
|
|
entry = entry.Replace("http:", "");
|
|
entry = entry.Replace("https:", "");
|
|
entry = entry.Replace("/", "");
|
|
|
|
if (_accessList.Contains(entry))
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
public AuthorizationService(IConfig config, Scene scene)
|
|
{
|
|
m_Scene = scene;
|
|
m_UserManagement = scene.RequestModuleInterface<IUserManagement>();
|
|
// m_GridService = scene.GridService;
|
|
|
|
if (config != null)
|
|
{
|
|
string accessStr = config.GetString("Region_ALL", String.Empty);
|
|
accessStr = config.GetString("Region_" + scene.RegionInfo.RegionName.Replace(' ', '_'), accessStr);
|
|
m_serverURL = config.GetString("GridWideAccessList", "https://mcp.4creative.net/?api=getAccessList®ion=");
|
|
|
|
if (accessStr != string.Empty)
|
|
{
|
|
try
|
|
{
|
|
m_accessValue = (AccessFlags)Enum.Parse(typeof(AccessFlags), accessStr);
|
|
}
|
|
catch (ArgumentException)
|
|
{
|
|
m_log.WarnFormat("[AuthorizationService]: {0} is not a valid access flag", accessStr);
|
|
}
|
|
}
|
|
m_log.DebugFormat("[AuthorizationService]: Region {0} access restrictions: {1}", m_Scene.RegionInfo.RegionName, m_accessValue);
|
|
}
|
|
|
|
}
|
|
|
|
public bool IsAuthorizedForRegion(
|
|
string user, string firstName, string lastName, string regionID, out string message)
|
|
{
|
|
// This should not happen
|
|
if (m_Scene.RegionInfo.RegionID.ToString() != regionID)
|
|
{
|
|
m_log.WarnFormat("[AuthorizationService]: Service for region {0} received request to authorize for region {1}", m_Scene.RegionInfo.RegionID, regionID);
|
|
message = string.Format("Region {0} received request to authorize for region {1}", m_Scene.RegionInfo.RegionID, regionID);
|
|
return false;
|
|
}
|
|
|
|
if (m_accessValue == AccessFlags.None)
|
|
{
|
|
message = "Authorized";
|
|
return true;
|
|
}
|
|
|
|
UUID userID = new UUID(user);
|
|
|
|
if (m_accessValue == AccessFlags.DisallowForeigners)
|
|
{
|
|
if (!m_UserManagement.IsLocalGridUser(userID))
|
|
{
|
|
message = "No foreign users allowed in this region";
|
|
return false;
|
|
}
|
|
}
|
|
|
|
if (m_accessValue == AccessFlags.DisallowResidents)
|
|
{
|
|
if (!(m_Scene.Permissions.IsGod(userID) || m_Scene.Permissions.IsAdministrator(userID)))
|
|
{
|
|
message = "Only Admins and Managers allowed in this region";
|
|
return false;
|
|
}
|
|
}
|
|
|
|
if (m_accessValue == AccessFlags.AllowLocalAndFriendlyHG)
|
|
{
|
|
if (m_UserManagement.IsLocalGridUser(userID))
|
|
{
|
|
message = "All local users are allowed.";
|
|
return true;
|
|
}
|
|
|
|
if ((m_Scene.Permissions.IsGod(userID) || m_Scene.Permissions.IsAdministrator(userID)))
|
|
{
|
|
message = "Estate administrators are allways allowed.";
|
|
return true;
|
|
}
|
|
|
|
foreach (ILandObject _parcel in m_Scene.LandChannel.AllParcels())
|
|
{
|
|
if (_parcel.IsInLandAccessList(userID))
|
|
{
|
|
message = "Parcel members are allways allowed.";
|
|
return true;
|
|
}
|
|
}
|
|
|
|
if (!m_UserManagement.IsLocalGridUser(userID))
|
|
{
|
|
String _homeURL = m_UserManagement.GetUserHomeURL(userID);
|
|
|
|
|
|
if (checkRemoteAccessList("gridblacklist:" + _homeURL))
|
|
{
|
|
message = "You dont have access to this region.";
|
|
return false;
|
|
}
|
|
|
|
if (checkRemoteAccessList("userblacklist:" + user + "@" + _homeURL))
|
|
{
|
|
message = "You dont have access to this region.";
|
|
return false;
|
|
}
|
|
|
|
if (checkRemoteAccessList("grid:" + _homeURL))
|
|
{
|
|
message = "Grid whitelist.";
|
|
return true;
|
|
}
|
|
|
|
if (checkRemoteAccessList("user:" + user + "@" + _homeURL))
|
|
{
|
|
message = "User whitelist";
|
|
return true;
|
|
}
|
|
}
|
|
|
|
message = "You dont have access to this region.";
|
|
return false;
|
|
}
|
|
|
|
message = "Authorized";
|
|
return true;
|
|
}
|
|
}
|
|
} |