diff --git a/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/AuthorizationService.cs b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/AuthorizationService.cs new file mode 100644 index 0000000000..f0d21e67db --- /dev/null +++ b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/AuthorizationService.cs @@ -0,0 +1,124 @@ +/* + * Copyright (c) Contributors, http://opensimulator.org/ + * See CONTRIBUTORS.TXT for a full list of copyright holders. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the name of the OpenSimulator Project nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +using System; +using System.Collections.Generic; +using System.Linq; +using System.Reflection; +using Nini.Config; +using log4net; +using OpenSim.Framework; +using OpenSim.Services.Interfaces; +using OpenSim.Region.Framework.Interfaces; +using OpenSim.Region.Framework.Scenes; +using OpenMetaverse; + +using GridRegion = OpenSim.Services.Interfaces.GridRegion; + +namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization +{ + public class AuthorizationService : IAuthorizationService + { + private enum AccessFlags + { + None = 0, /* No restrictions */ + DisallowResidents = 1, /* Only gods and managers*/ + DisallowForeigners = 2, /* Only local people */ + } + + private static readonly ILog m_log = + LogManager.GetLogger( + MethodBase.GetCurrentMethod().DeclaringType); + + private IUserManagement m_UserManagement; + private IGridService m_GridService; + + private Scene m_Scene; + AccessFlags m_accessValue = AccessFlags.None; + + + public AuthorizationService(IConfig config, Scene scene) + { + m_Scene = scene; + m_UserManagement = scene.RequestModuleInterface(); + m_GridService = scene.GridService; + + if (config != null) + { + string accessStr = config.GetString("Region_" + scene.RegionInfo.RegionName.Replace(' ', '_'), String.Empty); + if (accessStr != string.Empty) + { + try + { + m_accessValue = (AccessFlags)Enum.Parse(typeof(AccessFlags), accessStr); + } + catch (ArgumentException) + { + m_log.WarnFormat("[AuthorizationService]: {0} is not a valid access flag", accessStr); + } + } + m_log.DebugFormat("[AuthorizationService]: Region {0} access restrictions: {1}", m_Scene.RegionInfo.RegionName, m_accessValue); + } + + } + + public bool IsAuthorizedForRegion( + string user, string firstName, string lastName, string regionID, out string message) + { + message = "authorized"; + + // This should not happen + if (m_Scene.RegionInfo.RegionID.ToString() != regionID) + { + m_log.WarnFormat("[AuthorizationService]: Service for region {0} received request to authorize for region {1}", + m_Scene.RegionInfo.RegionID, regionID); + return true; + } + + if (m_accessValue == AccessFlags.None) + return true; + + UUID userID = new UUID(user); + bool authorized = true; + if ((m_accessValue & AccessFlags.DisallowForeigners) == AccessFlags.DisallowForeigners) + { + authorized = m_UserManagement.IsLocalGridUser(userID); + if (!authorized) + message = "no foreigner users allowed in this region"; + } + if (authorized && (m_accessValue & AccessFlags.DisallowResidents) == AccessFlags.DisallowResidents) + { + authorized = m_Scene.Permissions.IsGod(userID) | m_Scene.Permissions.IsAdministrator(userID); + if (!authorized) + message = "only Admins and Managers allowed in this region"; + } + + return authorized; + } + + } +} \ No newline at end of file diff --git a/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs index 18a7177b6f..c982db61fc 100644 --- a/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs +++ b/OpenSim/Region/CoreModules/ServiceConnectorsOut/Authorization/LocalAuthorizationServiceConnector.cs @@ -39,13 +39,15 @@ using OpenMetaverse; namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization { - public class LocalAuthorizationServicesConnector : ISharedRegionModule, IAuthorizationService + public class LocalAuthorizationServicesConnector : INonSharedRegionModule, IAuthorizationService { private static readonly ILog m_log = LogManager.GetLogger( MethodBase.GetCurrentMethod().DeclaringType); private IAuthorizationService m_AuthorizationService; + private Scene m_Scene; + private IConfig m_AuthorizationConfig; private bool m_Enabled = false; @@ -69,33 +71,8 @@ namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization string name = moduleConfig.GetString("AuthorizationServices", string.Empty); if (name == Name) { - IConfig authorizationConfig = source.Configs["AuthorizationService"]; - if (authorizationConfig == null) - { - m_log.Error("[AUTHORIZATION CONNECTOR]: AuthorizationService missing from OpenSim.ini"); - return; - } - - string serviceDll = authorizationConfig.GetString("LocalServiceModule", - String.Empty); - - if (serviceDll == String.Empty) - { - m_log.Error("[AUTHORIZATION CONNECTOR]: No LocalServiceModule named in section AuthorizationService"); - return; - } - - Object[] args = new Object[] { source }; - m_AuthorizationService = - ServerUtils.LoadPlugin(serviceDll, - args); - - if (m_AuthorizationService == null) - { - m_log.Error("[AUTHORIZATION CONNECTOR]: Can't load authorization service"); - return; - } m_Enabled = true; + m_AuthorizationConfig = source.Configs["AuthorizationService"]; m_log.Info("[AUTHORIZATION CONNECTOR]: Local authorization connector enabled"); } } @@ -115,6 +92,9 @@ namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization return; scene.RegisterModuleInterface(this); + m_Scene = scene; + + scene.EventManager.OnLoginsEnabled += new EventManager.LoginsEnabled(OnLoginsEnabled); } public void RemoveRegion(Scene scene) @@ -131,9 +111,18 @@ namespace OpenSim.Region.CoreModules.ServiceConnectorsOut.Authorization scene.RegionInfo.RegionName); } + private void OnLoginsEnabled(string regionName) + { + m_AuthorizationService = new AuthorizationService(m_AuthorizationConfig, m_Scene); + } + public bool IsAuthorizedForRegion( string userID, string firstName, string lastName, string regionID, out string message) { + message = ""; + if (!m_Enabled) + return true; + return m_AuthorizationService.IsAuthorizedForRegion(userID, firstName, lastName, regionID, out message); } } diff --git a/OpenSim/Region/Framework/Scenes/Scene.cs b/OpenSim/Region/Framework/Scenes/Scene.cs index 6f2dd78a28..a6f92500b0 100644 --- a/OpenSim/Region/Framework/Scenes/Scene.cs +++ b/OpenSim/Region/Framework/Scenes/Scene.cs @@ -3547,8 +3547,8 @@ namespace OpenSim.Region.Framework.Scenes if (!AuthorizationService.IsAuthorizedForRegion( agent.AgentID.ToString(), agent.firstname, agent.lastname, RegionInfo.RegionID.ToString(), out reason)) { - m_log.WarnFormat("[CONNECTION BEGIN]: Denied access to: {0} ({1} {2}) at {3} because the user does not have access to the region", - agent.AgentID, agent.firstname, agent.lastname, RegionInfo.RegionName); + m_log.WarnFormat("[CONNECTION BEGIN]: Denied access to: {0} ({1} {2}) at {3} because {4}", + agent.AgentID, agent.firstname, agent.lastname, RegionInfo.RegionName, reason); return false; } diff --git a/bin/config-include/Grid.ini b/bin/config-include/Grid.ini index da860c6859..95d62649ca 100644 --- a/bin/config-include/Grid.ini +++ b/bin/config-include/Grid.ini @@ -14,6 +14,7 @@ AvatarServices = "RemoteAvatarServicesConnector" NeighbourServices = "RemoteNeighbourServicesConnector" AuthenticationServices = "RemoteAuthenticationServicesConnector" + AuthorizationServices = "LocalAuthorizationServicesConnector" PresenceServices = "RemotePresenceServicesConnector" UserAccountServices = "RemoteUserAccountServicesConnector" GridUserServices = "RemoteGridUserServicesConnector" diff --git a/bin/config-include/GridCommon.ini.example b/bin/config-include/GridCommon.ini.example index 712481d299..fa6f5258c5 100644 --- a/bin/config-include/GridCommon.ini.example +++ b/bin/config-include/GridCommon.ini.example @@ -146,3 +146,13 @@ [MapImageService] MapImageServerURI = "http://mygridserver.com:8003" + +[AuthorizationService] + ; If you have regions with access restrictions + ; specify them here using the convention + ; Region_ = + ; Valid flags are: + ; DisallowForeigners -- HG visitors not allowed + ; DisallowResidents -- only Admins and Managers allowed + ; Example: + ; Region_Test_1 = "DisallowForeigners" diff --git a/bin/config-include/GridHypergrid.ini b/bin/config-include/GridHypergrid.ini index 5f0ba370e1..da447f1e12 100644 --- a/bin/config-include/GridHypergrid.ini +++ b/bin/config-include/GridHypergrid.ini @@ -17,6 +17,7 @@ AvatarServices = "RemoteAvatarServicesConnector" NeighbourServices = "RemoteNeighbourServicesConnector" AuthenticationServices = "RemoteAuthenticationServicesConnector" + AuthorizationServices = "LocalAuthorizationServicesConnector" PresenceServices = "RemotePresenceServicesConnector" UserAccountServices = "RemoteUserAccountServicesConnector" GridUserServices = "RemoteGridUserServicesConnector" diff --git a/bin/config-include/Standalone.ini b/bin/config-include/Standalone.ini index 6ad4ac9e68..d307387e85 100644 --- a/bin/config-include/Standalone.ini +++ b/bin/config-include/Standalone.ini @@ -9,6 +9,7 @@ InventoryServices = "LocalInventoryServicesConnector" NeighbourServices = "LocalNeighbourServicesConnector" AuthenticationServices = "LocalAuthenticationServicesConnector" + AuthorizationServices = "LocalAuthorizationServicesConnector" GridServices = "LocalGridServicesConnector" PresenceServices = "LocalPresenceServicesConnector" UserAccountServices = "LocalUserAccountServicesConnector" @@ -47,9 +48,6 @@ [AvatarService] LocalServiceModule = "OpenSim.Services.AvatarService.dll:AvatarService" -[AuthorizationService] - LocalServiceModule = "OpenSim.Services.AuthorizationService.dll:AuthorizationService" - [AuthenticationService] LocalServiceModule = "OpenSim.Services.AuthenticationService.dll:PasswordAuthenticationService" diff --git a/bin/config-include/StandaloneCommon.ini.example b/bin/config-include/StandaloneCommon.ini.example index 2f39218b13..2a7e49e76f 100644 --- a/bin/config-include/StandaloneCommon.ini.example +++ b/bin/config-include/StandaloneCommon.ini.example @@ -231,3 +231,13 @@ [MapImageService] ; Set this if you want to change the default ; TilesStoragePath = "maptiles" + +[AuthorizationService] + ; If you have regions with access restrictions + ; specify them here using the convention + ; Region_ = + ; Valid flags are: + ; DisallowForeigners -- HG visitors not allowed + ; DisallowResidents -- only Admins and Managers allowed + ; Example: + ; Region_Test_1 = "DisallowForeigners" \ No newline at end of file diff --git a/bin/config-include/StandaloneHypergrid.ini b/bin/config-include/StandaloneHypergrid.ini index 00beb31f10..286d0a1374 100644 --- a/bin/config-include/StandaloneHypergrid.ini +++ b/bin/config-include/StandaloneHypergrid.ini @@ -12,6 +12,7 @@ InventoryServices = "HGInventoryBroker" NeighbourServices = "LocalNeighbourServicesConnector" AuthenticationServices = "LocalAuthenticationServicesConnector" + AuthorizationServices = "LocalAuthorizationServicesConnector" GridServices = "LocalGridServicesConnector" PresenceServices = "LocalPresenceServicesConnector" UserAccountServices = "LocalUserAccountServicesConnector" @@ -68,9 +69,6 @@ LibraryName = "OpenSim Library" DefaultLibrary = "./inventory/Libraries.xml" -[AuthorizationService] - LocalServiceModule = "OpenSim.Services.AuthorizationService.dll:AuthorizationService" - [AuthenticationService] LocalServiceModule = "OpenSim.Services.AuthenticationService.dll:PasswordAuthenticationService"