Merge branch 'master' into Mario/vaporizer_damage
[xonotic/xonotic-data.pk3dir.git] / qcsrc / server / ipban.qc
1 #include "ipban.qh"
2 #include "_all.qh"
3
4 #include "autocvars.qh"
5 #include "command/banning.qh"
6 #include "defs.qh"
7 #include "../common/constants.qh"
8 #include "../common/util.qh"
9 #include "../dpdefs/dpextensions.qh"
10 #include "../dpdefs/progsdefs.qh"
11
12 /*
13  * Protocol of online ban list:
14  *
15  * - Reporting a ban:
16  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
17  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
18  * - Removing a ban:
19  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
20  * - Querying the ban list
21  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
22  *
23  *     shows the bans from the listed servers, and possibly others.
24  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
25  *     newline ONLY (no carriage return):
26  *
27  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
28  *     time left in seconds
29  *     reason of the ban
30  *     server IP that registered the ban
31  */
32
33 #define MAX_IPBAN_URIS (URI_GET_IPBAN_END - URI_GET_IPBAN + 1)
34
35 float Ban_Insert(string ip, float bantime, string reason, float dosync);
36
37 void OnlineBanList_SendBan(string ip, float bantime, string reason)
38 {
39         string uri;
40         float i, n;
41
42         uri = strcat(     "action=ban&hostname=", uri_escape(autocvar_hostname));
43         uri = strcat(uri, "&ip=", uri_escape(ip));
44         uri = strcat(uri, "&duration=", ftos(bantime));
45         uri = strcat(uri, "&reason=", uri_escape(reason));
46
47         n = tokenize_console(autocvar_g_ban_sync_uri);
48         if(n >= MAX_IPBAN_URIS)
49                 n = MAX_IPBAN_URIS;
50         for(i = 0; i < n; ++i)
51         {
52                 if(strstrofs(argv(i), "?", 0) >= 0)
53                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
54                 else
55                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
56         }
57 }
58
59 void OnlineBanList_SendUnban(string ip)
60 {
61         string uri;
62         float i, n;
63
64         uri = strcat(     "action=unban&hostname=", uri_escape(autocvar_hostname));
65         uri = strcat(uri, "&ip=", uri_escape(ip));
66
67         n = tokenize_console(autocvar_g_ban_sync_uri);
68         if(n >= MAX_IPBAN_URIS)
69                 n = MAX_IPBAN_URIS;
70         for(i = 0; i < n; ++i)
71         {
72                 if(strstrofs(argv(i), "?", 0) >= 0)
73                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
74                 else
75                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
76         }
77 }
78
79 string OnlineBanList_Servers;
80 float OnlineBanList_Timeout;
81 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
82
83 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
84 {
85         float n, i, j, l;
86         string ip;
87         float timeleft;
88         string reason;
89         string serverip;
90         float syncinterval;
91         string uri;
92
93         id -= URI_GET_IPBAN;
94
95         if(id >= MAX_IPBAN_URIS)
96         {
97                 LOG_INFO("Received ban list for invalid ID\n");
98                 return;
99         }
100
101         tokenize_console(autocvar_g_ban_sync_uri);
102         uri = argv(id);
103
104         LOG_INFO("Received ban list from ", uri, ": ");
105
106         if(OnlineBanList_RequestWaiting[id] == 0)
107         {
108                 LOG_INFO("rejected (unexpected)\n");
109                 return;
110         }
111
112         OnlineBanList_RequestWaiting[id] = 0;
113
114         if(time > OnlineBanList_Timeout)
115         {
116                 LOG_INFO("rejected (too late)\n");
117                 return;
118         }
119
120         syncinterval = autocvar_g_ban_sync_interval;
121         if(syncinterval == 0)
122         {
123                 LOG_INFO("rejected (syncing disabled)\n");
124                 return;
125         }
126         if(syncinterval > 0)
127                 syncinterval *= 60;
128
129         if(status != 0)
130         {
131                 LOG_INFO("error: status is ", ftos(status), "\n");
132                 return;
133         }
134
135         if(substring(data, 0, 1) == "<")
136         {
137                 LOG_INFO("error: received HTML instead of a ban list\n");
138                 return;
139         }
140
141         if(strstrofs(data, "\r", 0) != -1)
142         {
143                 LOG_INFO("error: received carriage returns\n");
144                 return;
145         }
146
147         if(data == "")
148                 n = 0;
149         else
150                 n = tokenizebyseparator(data, "\n");
151
152         if((n % 4) != 0)
153         {
154                 LOG_INFO("error: received invalid item count: ", ftos(n), "\n");
155                 return;
156         }
157
158         LOG_INFO("OK, ", ftos(n / 4), " items\n");
159
160         for(i = 0; i < n; i += 4)
161         {
162                 ip = argv(i);
163                 timeleft = stof(argv(i + 1));
164                 reason = argv(i + 2);
165                 serverip = argv(i + 3);
166
167                 LOG_TRACE("received ban list item ", ftos(i / 4), ": ip=", ip);
168                 LOG_TRACE(" timeleft=", ftos(timeleft), " reason=", reason);
169                 LOG_TRACE(" serverip=", serverip, "\n");
170
171                 timeleft -= 1.5 * autocvar_g_ban_sync_timeout;
172                 if(timeleft < 0)
173                         continue;
174
175                 l = strlen(ip);
176                 if(l != 44) // length 44 is a cryptographic ID
177                 {
178                         for(j = 0; j < l; ++j)
179                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
180                                 {
181                                         LOG_INFO("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
182                                         goto skip;
183                                 }
184                 }
185
186                 if(autocvar_g_ban_sync_trusted_servers_verify)
187                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
188                                 continue;
189
190                 if(syncinterval > 0)
191                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
192                         // the ban will be prolonged on the next sync
193                         // or expire 5 seconds after the next timeout
194                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
195                 LOG_INFO("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
196                 LOG_INFO(reason, "\n");
197
198 :skip
199         }
200 }
201
202 void OnlineBanList_Think()
203 {
204         float argc;
205         string uri;
206         float i, n;
207
208         if(autocvar_g_ban_sync_uri == "")
209                 goto killme;
210         if(autocvar_g_ban_sync_interval == 0) // < 0 is okay, it means "sync on level start only"
211                 goto killme;
212         argc = tokenize_console(autocvar_g_ban_sync_trusted_servers);
213         if(argc == 0)
214                 goto killme;
215
216         if(OnlineBanList_Servers)
217                 strunzone(OnlineBanList_Servers);
218         OnlineBanList_Servers = argv(0);
219         for(i = 1; i < argc; ++i)
220                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
221         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
222
223         uri = strcat(     "action=list&hostname=", uri_escape(autocvar_hostname));
224         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
225
226         OnlineBanList_Timeout = time + autocvar_g_ban_sync_timeout;
227
228         n = tokenize_console(autocvar_g_ban_sync_uri);
229         if(n >= MAX_IPBAN_URIS)
230                 n = MAX_IPBAN_URIS;
231         for(i = 0; i < n; ++i)
232         {
233                 if(OnlineBanList_RequestWaiting[i])
234                         continue;
235                 OnlineBanList_RequestWaiting[i] = 1;
236                 if(strstrofs(argv(i), "?", 0) >= 0)
237                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
238                 else
239                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
240         }
241
242         if(autocvar_g_ban_sync_interval > 0)
243                 self.nextthink = time + max(60, autocvar_g_ban_sync_interval * 60);
244         else
245                 goto killme;
246         return;
247
248 :killme
249         remove(self);
250 }
251
252 const float BAN_MAX = 256;
253 float ban_loaded;
254 string ban_ip[BAN_MAX];
255 float ban_expire[BAN_MAX];
256 float ban_count;
257
258 string ban_ip1;
259 string ban_ip2;
260 string ban_ip3;
261 string ban_ip4;
262 string ban_idfp;
263
264 void Ban_SaveBans()
265 {
266         string out;
267         float i;
268
269         if(!ban_loaded)
270                 return;
271
272         // version of list
273         out = "1";
274         for(i = 0; i < ban_count; ++i)
275         {
276                 if(time > ban_expire[i])
277                         continue;
278                 out = strcat(out, " ", ban_ip[i]);
279                 out = strcat(out, " ", ftos(ban_expire[i] - time));
280         }
281         if(strlen(out) <= 1) // no real entries
282                 cvar_set("g_banned_list", "");
283         else
284                 cvar_set("g_banned_list", out);
285 }
286
287 float Ban_Delete(float i)
288 {
289         if(i < 0)
290                 return false;
291         if(i >= ban_count)
292                 return false;
293         if(ban_expire[i] == 0)
294                 return false;
295         if(ban_expire[i] > 0)
296         {
297                 OnlineBanList_SendUnban(ban_ip[i]);
298                 strunzone(ban_ip[i]);
299         }
300         ban_expire[i] = 0;
301         ban_ip[i] = "";
302         Ban_SaveBans();
303         return true;
304 }
305
306 void Ban_LoadBans()
307 {
308         float i, n;
309         for(i = 0; i < ban_count; ++i)
310                 Ban_Delete(i);
311         ban_count = 0;
312         ban_loaded = true;
313         n = tokenize_console(autocvar_g_banned_list);
314         if(stof(argv(0)) == 1)
315         {
316                 ban_count = (n - 1) / 2;
317                 for(i = 0; i < ban_count; ++i)
318                 {
319                         ban_ip[i] = strzone(argv(2*i+1));
320                         ban_expire[i] = time + stof(argv(2*i+2));
321                 }
322         }
323
324         entity e;
325         e = spawn();
326         e.classname = "bansyncer";
327         e.think = OnlineBanList_Think;
328         e.nextthink = time + 1;
329 }
330
331 void Ban_View()
332 {
333         float i, n;
334         string msg;
335
336         LOG_INFO("^2Listing all existing active bans:\n");
337
338         n = 0;
339         for(i = 0; i < ban_count; ++i)
340         {
341                 if(time > ban_expire[i])
342                         continue;
343
344                 ++n; // total number of existing bans
345
346                 msg = strcat("#", ftos(i), ": ");
347                 msg = strcat(msg, ban_ip[i], " is still banned for ");
348                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
349
350                 LOG_INFO("  ", msg, "\n");
351         }
352
353         LOG_INFO("^2Done listing all active (", ftos(n), ") bans.\n");
354 }
355
356 float Ban_GetClientIP(entity client)
357 {
358         // we can't use tokenizing here, as this is called during ban list parsing
359         float i1, i2, i3, i4;
360         string s;
361
362         if(client.crypto_idfp_signed)
363                 ban_idfp = client.crypto_idfp;
364         else
365                 ban_idfp = string_null;
366
367         s = client.netaddress;
368
369         i1 = strstrofs(s, ".", 0);
370         if(i1 < 0)
371                 goto ipv6;
372         i2 = strstrofs(s, ".", i1 + 1);
373         if(i2 < 0)
374                 return false;
375         i3 = strstrofs(s, ".", i2 + 1);
376         if(i3 < 0)
377                 return false;
378         i4 = strstrofs(s, ".", i3 + 1);
379         if(i4 >= 0)
380                 s = substring(s, 0, i4);
381
382         ban_ip1 = substring(s, 0, i1); // 8
383         ban_ip2 = substring(s, 0, i2); // 16
384         ban_ip3 = substring(s, 0, i3); // 24
385         ban_ip4 = strcat1(s); // 32
386         return true;
387
388 :ipv6
389         i1 = strstrofs(s, ":", 0);
390         if(i1 < 0)
391                 return false;
392         i1 = strstrofs(s, ":", i1 + 1);
393         if(i1 < 0)
394                 return false;
395         i2 = strstrofs(s, ":", i1 + 1);
396         if(i2 < 0)
397                 return false;
398         i3 = strstrofs(s, ":", i2 + 1);
399         if(i3 < 0)
400                 return false;
401
402         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
403         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
404         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
405
406         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
407                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
408         else
409                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
410
411         return true;
412 }
413
414 float Ban_IsClientBanned(entity client, float idx)
415 {
416         float i, b, e, ipbanned;
417         if(!ban_loaded)
418                 Ban_LoadBans();
419         if(!Ban_GetClientIP(client))
420                 return false;
421         if(idx < 0)
422         {
423                 b = 0;
424                 e = ban_count;
425         }
426         else
427         {
428                 b = idx;
429                 e = idx + 1;
430         }
431         ipbanned = false;
432         for(i = b; i < e; ++i)
433         {
434                 string s;
435                 if(time > ban_expire[i])
436                         continue;
437                 s = ban_ip[i];
438                 if(ban_ip1 == s) ipbanned = true;
439                 if(ban_ip2 == s) ipbanned = true;
440                 if(ban_ip3 == s) ipbanned = true;
441                 if(ban_ip4 == s) ipbanned = true;
442                 if(ban_idfp == s) return true;
443         }
444         if(ipbanned)
445         {
446                 if(!autocvar_g_banned_list_idmode)
447                         return true;
448                 if (!ban_idfp)
449                         return true;
450         }
451         return false;
452 }
453
454 float Ban_MaybeEnforceBan(entity client)
455 {
456         if(Ban_IsClientBanned(client, -1))
457         {
458                 string s;
459                 s = strcat("^1NOTE:^7 banned client ", client.netaddress, " just tried to enter\n");
460                 dropclient(client);
461                 bprint(s);
462                 return true;
463         }
464         return false;
465 }
466
467 .float ban_checked;
468 float Ban_MaybeEnforceBanOnce(entity client)
469 {
470         if(client.ban_checked)
471                 return false;
472         client.ban_checked = true;
473         return Ban_MaybeEnforceBan(client);
474 }
475
476 string Ban_Enforce(float i, string reason)
477 {
478         string s;
479         entity e;
480
481         // Enforce our new ban
482         s = "";
483         FOR_EACH_CLIENTSLOT(e)
484                 if (IS_REAL_CLIENT(e))
485                 if(Ban_IsClientBanned(e, i))
486                 {
487                         if(reason != "")
488                         {
489                                 if(s == "")
490                                         reason = strcat(reason, ": affects ");
491                                 else
492                                         reason = strcat(reason, ", ");
493                                 reason = strcat(reason, e.netname);
494                         }
495                         s = strcat(s, "^1NOTE:^7 banned client ", e.netaddress, "^7 has to go\n");
496                         dropclient(e);
497                 }
498         bprint(s);
499
500         return reason;
501 }
502
503 float Ban_Insert(string ip, float bantime, string reason, float dosync)
504 {
505         float i;
506         float j;
507         float bestscore;
508
509         // already banned?
510         for(i = 0; i < ban_count; ++i)
511                 if(ban_ip[i] == ip)
512                 {
513                         // prolong the ban
514                         if(time + bantime > ban_expire[i])
515                         {
516                                 ban_expire[i] = time + bantime;
517                                 LOG_TRACE(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
518                         }
519                         else
520                                 LOG_TRACE(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
521
522                         // and enforce
523                         reason = Ban_Enforce(i, reason);
524
525                         // and abort
526                         if(dosync)
527                                 if(reason != "")
528                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
529                                                 OnlineBanList_SendBan(ip, bantime, reason);
530
531                         return false;
532                 }
533
534         // do we have a free slot?
535         for(i = 0; i < ban_count; ++i)
536                 if(time > ban_expire[i])
537                         break;
538         // no free slot? Then look for the one who would get unbanned next
539         if(i >= BAN_MAX)
540         {
541                 i = 0;
542                 bestscore = ban_expire[i];
543                 for(j = 1; j < ban_count; ++j)
544                 {
545                         if(ban_expire[j] < bestscore)
546                         {
547                                 i = j;
548                                 bestscore = ban_expire[i];
549                         }
550                 }
551         }
552         // if we replace someone, will we be banned longer than him (so long-term
553         // bans never get overridden by short-term bans)
554         if(i < ban_count)
555         if(ban_expire[i] > time + bantime)
556         {
557                 LOG_INFO(ip, " could not get banned due to no free ban slot\n");
558                 return false;
559         }
560         // okay, insert our new victim as i
561         Ban_Delete(i);
562         LOG_TRACE(ip, " has been banned for ", ftos(bantime), " seconds\n");
563         ban_expire[i] = time + bantime;
564         ban_ip[i] = strzone(ip);
565         ban_count = max(ban_count, i + 1);
566
567         Ban_SaveBans();
568
569         reason = Ban_Enforce(i, reason);
570
571         // and abort
572         if(dosync)
573                 if(reason != "")
574                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
575                                 OnlineBanList_SendBan(ip, bantime, reason);
576
577         return true;
578 }
579
580 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
581 {
582         string ip, id;
583         if(!Ban_GetClientIP(client))
584         {
585                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
586                 dropclient(client);
587                 return;
588         }
589
590         // who to ban?
591         switch(masksize)
592         {
593                 case 1:
594                         ip = strcat1(ban_ip1);
595                         break;
596                 case 2:
597                         ip = strcat1(ban_ip2);
598                         break;
599                 case 3:
600                         ip = strcat1(ban_ip3);
601                         break;
602                 case 4:
603                 default:
604                         ip = strcat1(ban_ip4);
605                         break;
606         }
607         if(ban_idfp)
608                 id = strcat1(ban_idfp);
609         else
610                 id = string_null;
611
612         Ban_Insert(ip, bantime, reason, 1);
613         if(id)
614                 Ban_Insert(id, bantime, reason, 1);
615         /*
616          * not needed, as we enforce the ban in Ban_Insert anyway
617         // and kick him
618         sprint(client, strcat("Kickbanned: ", reason, "\n"));
619         dropclient(client);
620          */
621 }