Merge branch 'master' into Mario/qc_updates
[xonotic/xonotic-data.pk3dir.git] / qcsrc / server / ipban.qc
1 #if defined(CSQC)
2 #elif defined(MENUQC)
3 #elif defined(SVQC)
4         #include "../dpdefs/progsdefs.qh"
5     #include "../dpdefs/dpextensions.qh"
6     #include "../common/constants.qh"
7     #include "../common/util.qh"
8     #include "autocvars.qh"
9     #include "defs.qh"
10     #include "command/banning.qh"
11     #include "ipban.qh"
12 #endif
13
14 /*
15  * Protocol of online ban list:
16  *
17  * - Reporting a ban:
18  *     GET g_ban_sync_uri?action=ban&hostname=...&ip=xxx.xxx.xxx&duration=nnnn&reason=...................
19  *     (IP 1, 2, 3, or 4 octets, 3 octets for example is a /24 mask)
20  * - Removing a ban:
21  *     GET g_ban_sync_uri?action=unban&hostname=...&ip=xxx.xxx.xxx
22  * - Querying the ban list
23  *     GET g_ban_sync_uri?action=list&hostname=...&servers=xxx.xxx.xxx.xxx;xxx.xxx.xxx.xxx;...
24  *
25  *     shows the bans from the listed servers, and possibly others.
26  *     Format of a ban is ASCII plain text, four lines per ban, delimited by
27  *     newline ONLY (no carriage return):
28  *
29  *     IP address (also 1, 2, 3, or 4 octets, delimited by dot)
30  *     time left in seconds
31  *     reason of the ban
32  *     server IP that registered the ban
33  */
34
35 #define MAX_IPBAN_URIS (URI_GET_IPBAN_END - URI_GET_IPBAN + 1)
36
37 float Ban_Insert(string ip, float bantime, string reason, float dosync);
38
39 void OnlineBanList_SendBan(string ip, float bantime, string reason)
40 {
41         string uri;
42         float i, n;
43
44         uri = strcat(     "action=ban&hostname=", uri_escape(autocvar_hostname));
45         uri = strcat(uri, "&ip=", uri_escape(ip));
46         uri = strcat(uri, "&duration=", ftos(bantime));
47         uri = strcat(uri, "&reason=", uri_escape(reason));
48
49         n = tokenize_console(autocvar_g_ban_sync_uri);
50         if(n >= MAX_IPBAN_URIS)
51                 n = MAX_IPBAN_URIS;
52         for(i = 0; i < n; ++i)
53         {
54                 if(strstrofs(argv(i), "?", 0) >= 0)
55                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
56                 else
57                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
58         }
59 }
60
61 void OnlineBanList_SendUnban(string ip)
62 {
63         string uri;
64         float i, n;
65
66         uri = strcat(     "action=unban&hostname=", uri_escape(autocvar_hostname));
67         uri = strcat(uri, "&ip=", uri_escape(ip));
68
69         n = tokenize_console(autocvar_g_ban_sync_uri);
70         if(n >= MAX_IPBAN_URIS)
71                 n = MAX_IPBAN_URIS;
72         for(i = 0; i < n; ++i)
73         {
74                 if(strstrofs(argv(i), "?", 0) >= 0)
75                         uri_get(strcat(argv(i), "&", uri), URI_GET_DISCARD); // 0 = "discard" callback target
76                 else
77                         uri_get(strcat(argv(i), "?", uri), URI_GET_DISCARD); // 0 = "discard" callback target
78         }
79 }
80
81 string OnlineBanList_Servers;
82 float OnlineBanList_Timeout;
83 float OnlineBanList_RequestWaiting[MAX_IPBAN_URIS];
84
85 void OnlineBanList_URI_Get_Callback(float id, float status, string data)
86 {
87         float n, i, j, l;
88         string ip;
89         float timeleft;
90         string reason;
91         string serverip;
92         float syncinterval;
93         string uri;
94
95         id -= URI_GET_IPBAN;
96
97         if(id >= MAX_IPBAN_URIS)
98         {
99                 print("Received ban list for invalid ID\n");
100                 return;
101         }
102
103         tokenize_console(autocvar_g_ban_sync_uri);
104         uri = argv(id);
105
106         print("Received ban list from ", uri, ": ");
107
108         if(OnlineBanList_RequestWaiting[id] == 0)
109         {
110                 print("rejected (unexpected)\n");
111                 return;
112         }
113
114         OnlineBanList_RequestWaiting[id] = 0;
115
116         if(time > OnlineBanList_Timeout)
117         {
118                 print("rejected (too late)\n");
119                 return;
120         }
121
122         syncinterval = autocvar_g_ban_sync_interval;
123         if(syncinterval == 0)
124         {
125                 print("rejected (syncing disabled)\n");
126                 return;
127         }
128         if(syncinterval > 0)
129                 syncinterval *= 60;
130
131         if(status != 0)
132         {
133                 print("error: status is ", ftos(status), "\n");
134                 return;
135         }
136
137         if(substring(data, 0, 1) == "<")
138         {
139                 print("error: received HTML instead of a ban list\n");
140                 return;
141         }
142
143         if(strstrofs(data, "\r", 0) != -1)
144         {
145                 print("error: received carriage returns\n");
146                 return;
147         }
148
149         if(data == "")
150                 n = 0;
151         else
152                 n = tokenizebyseparator(data, "\n");
153
154         if((n % 4) != 0)
155         {
156                 print("error: received invalid item count: ", ftos(n), "\n");
157                 return;
158         }
159
160         print("OK, ", ftos(n / 4), " items\n");
161
162         for(i = 0; i < n; i += 4)
163         {
164                 ip = argv(i);
165                 timeleft = stof(argv(i + 1));
166                 reason = argv(i + 2);
167                 serverip = argv(i + 3);
168
169                 dprint("received ban list item ", ftos(i / 4), ": ip=", ip);
170                 dprint(" timeleft=", ftos(timeleft), " reason=", reason);
171                 dprint(" serverip=", serverip, "\n");
172
173                 timeleft -= 1.5 * autocvar_g_ban_sync_timeout;
174                 if(timeleft < 0)
175                         continue;
176
177                 l = strlen(ip);
178                 if(l != 44) // length 44 is a cryptographic ID
179                 {
180                         for(j = 0; j < l; ++j)
181                                 if(strstrofs("0123456789.", substring(ip, j, 1), 0) == -1)
182                                 {
183                                         print("Invalid character ", substring(ip, j, 1), " in IP address ", ip, ". Skipping this ban.\n");
184                                         goto skip;
185                                 }
186                 }
187
188                 if(autocvar_g_ban_sync_trusted_servers_verify)
189                         if((strstrofs(strcat(";", OnlineBanList_Servers, ";"), strcat(";", serverip, ";"), 0) == -1))
190                                 continue;
191
192                 if(syncinterval > 0)
193                         timeleft = min(syncinterval + (OnlineBanList_Timeout - time) + 5, timeleft);
194                         // the ban will be prolonged on the next sync
195                         // or expire 5 seconds after the next timeout
196                 Ban_Insert(ip, timeleft, strcat("ban synced from ", serverip, " at ", uri), 0);
197                 print("Ban list syncing: accepted ban of ", ip, " by ", serverip, " at ", uri, ": ");
198                 print(reason, "\n");
199
200 :skip
201         }
202 }
203
204 void OnlineBanList_Think()
205 {
206         float argc;
207         string uri;
208         float i, n;
209
210         if(autocvar_g_ban_sync_uri == "")
211                 goto killme;
212         if(autocvar_g_ban_sync_interval == 0) // < 0 is okay, it means "sync on level start only"
213                 goto killme;
214         argc = tokenize_console(autocvar_g_ban_sync_trusted_servers);
215         if(argc == 0)
216                 goto killme;
217
218         if(OnlineBanList_Servers)
219                 strunzone(OnlineBanList_Servers);
220         OnlineBanList_Servers = argv(0);
221         for(i = 1; i < argc; ++i)
222                 OnlineBanList_Servers = strcat(OnlineBanList_Servers, ";", argv(i));
223         OnlineBanList_Servers = strzone(OnlineBanList_Servers);
224
225         uri = strcat(     "action=list&hostname=", uri_escape(autocvar_hostname));
226         uri = strcat(uri, "&servers=", uri_escape(OnlineBanList_Servers));
227
228         OnlineBanList_Timeout = time + autocvar_g_ban_sync_timeout;
229
230         n = tokenize_console(autocvar_g_ban_sync_uri);
231         if(n >= MAX_IPBAN_URIS)
232                 n = MAX_IPBAN_URIS;
233         for(i = 0; i < n; ++i)
234         {
235                 if(OnlineBanList_RequestWaiting[i])
236                         continue;
237                 OnlineBanList_RequestWaiting[i] = 1;
238                 if(strstrofs(argv(i), "?", 0) >= 0)
239                         uri_get(strcat(argv(i), "&", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
240                 else
241                         uri_get(strcat(argv(i), "?", uri), URI_GET_IPBAN + i); // 1000 = "banlist" callback target
242         }
243
244         if(autocvar_g_ban_sync_interval > 0)
245                 self.nextthink = time + max(60, autocvar_g_ban_sync_interval * 60);
246         else
247                 goto killme;
248         return;
249
250 :killme
251         remove(self);
252 }
253
254 const float BAN_MAX = 256;
255 float ban_loaded;
256 string ban_ip[BAN_MAX];
257 float ban_expire[BAN_MAX];
258 float ban_count;
259
260 string ban_ip1;
261 string ban_ip2;
262 string ban_ip3;
263 string ban_ip4;
264 string ban_idfp;
265
266 void Ban_SaveBans()
267 {
268         string out;
269         float i;
270
271         if(!ban_loaded)
272                 return;
273
274         // version of list
275         out = "1";
276         for(i = 0; i < ban_count; ++i)
277         {
278                 if(time > ban_expire[i])
279                         continue;
280                 out = strcat(out, " ", ban_ip[i]);
281                 out = strcat(out, " ", ftos(ban_expire[i] - time));
282         }
283         if(strlen(out) <= 1) // no real entries
284                 cvar_set("g_banned_list", "");
285         else
286                 cvar_set("g_banned_list", out);
287 }
288
289 float Ban_Delete(float i)
290 {
291         if(i < 0)
292                 return false;
293         if(i >= ban_count)
294                 return false;
295         if(ban_expire[i] == 0)
296                 return false;
297         if(ban_expire[i] > 0)
298         {
299                 OnlineBanList_SendUnban(ban_ip[i]);
300                 strunzone(ban_ip[i]);
301         }
302         ban_expire[i] = 0;
303         ban_ip[i] = "";
304         Ban_SaveBans();
305         return true;
306 }
307
308 void Ban_LoadBans()
309 {
310         float i, n;
311         for(i = 0; i < ban_count; ++i)
312                 Ban_Delete(i);
313         ban_count = 0;
314         ban_loaded = true;
315         n = tokenize_console(autocvar_g_banned_list);
316         if(stof(argv(0)) == 1)
317         {
318                 ban_count = (n - 1) / 2;
319                 for(i = 0; i < ban_count; ++i)
320                 {
321                         ban_ip[i] = strzone(argv(2*i+1));
322                         ban_expire[i] = time + stof(argv(2*i+2));
323                 }
324         }
325
326         entity e;
327         e = spawn();
328         e.classname = "bansyncer";
329         e.think = OnlineBanList_Think;
330         e.nextthink = time + 1;
331 }
332
333 void Ban_View()
334 {
335         float i, n;
336         string msg;
337
338         print("^2Listing all existing active bans:\n");
339
340         n = 0;
341         for(i = 0; i < ban_count; ++i)
342         {
343                 if(time > ban_expire[i])
344                         continue;
345
346                 ++n; // total number of existing bans
347
348                 msg = strcat("#", ftos(i), ": ");
349                 msg = strcat(msg, ban_ip[i], " is still banned for ");
350                 msg = strcat(msg, ftos(ban_expire[i] - time), " seconds");
351
352                 print("  ", msg, "\n");
353         }
354
355         print("^2Done listing all active (", ftos(n), ") bans.\n");
356 }
357
358 float Ban_GetClientIP(entity client)
359 {
360         // we can't use tokenizing here, as this is called during ban list parsing
361         float i1, i2, i3, i4;
362         string s;
363
364         if(client.crypto_keyfp)
365                 ban_idfp = client.crypto_idfp;
366         else
367                 ban_idfp = string_null;
368
369         s = client.netaddress;
370
371         i1 = strstrofs(s, ".", 0);
372         if(i1 < 0)
373                 goto ipv6;
374         i2 = strstrofs(s, ".", i1 + 1);
375         if(i2 < 0)
376                 return false;
377         i3 = strstrofs(s, ".", i2 + 1);
378         if(i3 < 0)
379                 return false;
380         i4 = strstrofs(s, ".", i3 + 1);
381         if(i4 >= 0)
382                 s = substring(s, 0, i4);
383
384         ban_ip1 = substring(s, 0, i1); // 8
385         ban_ip2 = substring(s, 0, i2); // 16
386         ban_ip3 = substring(s, 0, i3); // 24
387         ban_ip4 = strcat1(s); // 32
388         return true;
389
390 :ipv6
391         i1 = strstrofs(s, ":", 0);
392         if(i1 < 0)
393                 return false;
394         i1 = strstrofs(s, ":", i1 + 1);
395         if(i1 < 0)
396                 return false;
397         i2 = strstrofs(s, ":", i1 + 1);
398         if(i2 < 0)
399                 return false;
400         i3 = strstrofs(s, ":", i2 + 1);
401         if(i3 < 0)
402                 return false;
403
404         ban_ip1 = strcat(substring(s, 0, i1), "::/32"); // 32
405         ban_ip2 = strcat(substring(s, 0, i2), "::/48"); // 48
406         ban_ip4 = strcat(substring(s, 0, i3), "::/64"); // 64
407
408         if(i3 - i2 > 3) // means there is more than 2 digits and a : in the range
409                 ban_ip3 = strcat(substring(s, 0, i2), ":", substring(s, i2 + 1, i3 - i2 - 3), "00::/56");
410         else
411                 ban_ip3 = strcat(substring(s, 0, i2), ":0::/56");
412
413         return true;
414 }
415
416 float Ban_IsClientBanned(entity client, float idx)
417 {
418         float i, b, e, ipbanned;
419         if(!ban_loaded)
420                 Ban_LoadBans();
421         if(!Ban_GetClientIP(client))
422                 return false;
423         if(idx < 0)
424         {
425                 b = 0;
426                 e = ban_count;
427         }
428         else
429         {
430                 b = idx;
431                 e = idx + 1;
432         }
433         ipbanned = false;
434         for(i = b; i < e; ++i)
435         {
436                 string s;
437                 if(time > ban_expire[i])
438                         continue;
439                 s = ban_ip[i];
440                 if(ban_ip1 == s) ipbanned = true;
441                 if(ban_ip2 == s) ipbanned = true;
442                 if(ban_ip3 == s) ipbanned = true;
443                 if(ban_ip4 == s) ipbanned = true;
444                 if(ban_idfp == s) return true;
445         }
446         if(ipbanned)
447         {
448                 if(!autocvar_g_banned_list_idmode)
449                         return true;
450                 if (!ban_idfp)
451                         return true;
452         }
453         return false;
454 }
455
456 float Ban_MaybeEnforceBan(entity client)
457 {
458         if(Ban_IsClientBanned(client, -1))
459         {
460                 string s;
461                 s = strcat("^1NOTE:^7 banned client ", client.netaddress, " just tried to enter\n");
462                 dropclient(client);
463                 bprint(s);
464                 return true;
465         }
466         return false;
467 }
468
469 .float ban_checked;
470 float Ban_MaybeEnforceBanOnce(entity client)
471 {
472         if(client.ban_checked)
473                 return false;
474         client.ban_checked = true;
475         return Ban_MaybeEnforceBan(client);
476 }
477
478 string Ban_Enforce(float i, string reason)
479 {
480         string s;
481         entity e;
482
483         // Enforce our new ban
484         s = "";
485         FOR_EACH_CLIENTSLOT(e)
486                 if (IS_REAL_CLIENT(e))
487                 if(Ban_IsClientBanned(e, i))
488                 {
489                         if(reason != "")
490                         {
491                                 if(s == "")
492                                         reason = strcat(reason, ": affects ");
493                                 else
494                                         reason = strcat(reason, ", ");
495                                 reason = strcat(reason, e.netname);
496                         }
497                         s = strcat(s, "^1NOTE:^7 banned client ", e.netaddress, "^7 has to go\n");
498                         dropclient(e);
499                 }
500         bprint(s);
501
502         return reason;
503 }
504
505 float Ban_Insert(string ip, float bantime, string reason, float dosync)
506 {
507         float i;
508         float j;
509         float bestscore;
510
511         // already banned?
512         for(i = 0; i < ban_count; ++i)
513                 if(ban_ip[i] == ip)
514                 {
515                         // prolong the ban
516                         if(time + bantime > ban_expire[i])
517                         {
518                                 ban_expire[i] = time + bantime;
519                                 dprint(ip, "'s ban has been prolonged to ", ftos(bantime), " seconds from now\n");
520                         }
521                         else
522                                 dprint(ip, "'s ban is still active until ", ftos(ban_expire[i] - time), " seconds from now\n");
523
524                         // and enforce
525                         reason = Ban_Enforce(i, reason);
526
527                         // and abort
528                         if(dosync)
529                                 if(reason != "")
530                                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
531                                                 OnlineBanList_SendBan(ip, bantime, reason);
532
533                         return false;
534                 }
535
536         // do we have a free slot?
537         for(i = 0; i < ban_count; ++i)
538                 if(time > ban_expire[i])
539                         break;
540         // no free slot? Then look for the one who would get unbanned next
541         if(i >= BAN_MAX)
542         {
543                 i = 0;
544                 bestscore = ban_expire[i];
545                 for(j = 1; j < ban_count; ++j)
546                 {
547                         if(ban_expire[j] < bestscore)
548                         {
549                                 i = j;
550                                 bestscore = ban_expire[i];
551                         }
552                 }
553         }
554         // if we replace someone, will we be banned longer than him (so long-term
555         // bans never get overridden by short-term bans)
556         if(i < ban_count)
557         if(ban_expire[i] > time + bantime)
558         {
559                 print(ip, " could not get banned due to no free ban slot\n");
560                 return false;
561         }
562         // okay, insert our new victim as i
563         Ban_Delete(i);
564         dprint(ip, " has been banned for ", ftos(bantime), " seconds\n");
565         ban_expire[i] = time + bantime;
566         ban_ip[i] = strzone(ip);
567         ban_count = max(ban_count, i + 1);
568
569         Ban_SaveBans();
570
571         reason = Ban_Enforce(i, reason);
572
573         // and abort
574         if(dosync)
575                 if(reason != "")
576                         if(substring(reason, 0, 1) != "~") // like IRC: unauthenticated banner
577                                 OnlineBanList_SendBan(ip, bantime, reason);
578
579         return true;
580 }
581
582 void Ban_KickBanClient(entity client, float bantime, float masksize, string reason)
583 {
584         string ip, id;
585         if(!Ban_GetClientIP(client))
586         {
587                 sprint(client, strcat("Kickbanned: ", reason, "\n"));
588                 dropclient(client);
589                 return;
590         }
591
592         // who to ban?
593         switch(masksize)
594         {
595                 case 1:
596                         ip = strcat1(ban_ip1);
597                         break;
598                 case 2:
599                         ip = strcat1(ban_ip2);
600                         break;
601                 case 3:
602                         ip = strcat1(ban_ip3);
603                         break;
604                 case 4:
605                 default:
606                         ip = strcat1(ban_ip4);
607                         break;
608         }
609         if(ban_idfp)
610                 id = strcat1(ban_idfp);
611         else
612                 id = string_null;
613
614         Ban_Insert(ip, bantime, reason, 1);
615         if(id)
616                 Ban_Insert(id, bantime, reason, 1);
617         /*
618          * not needed, as we enforce the ban in Ban_Insert anyway
619         // and kick him
620         sprint(client, strcat("Kickbanned: ", reason, "\n"));
621         dropclient(client);
622          */
623 }