oragono/irc/utils/net.go

// Copyright (c) 2012-2014 Jeremy Latt
// Copyright (c) 2016 Daniel Oaks <daniel@danieloaks.net>
// released under the MIT license

package utils

import (
	"fmt"
	"net"
	"regexp"
	"strings"
)

var (
	// subnet mask for an ipv6 /128:
	mask128             = net.CIDRMask(128, 128)
	IPv4LoopbackAddress = net.ParseIP("127.0.0.1").To16()

	validHostnameLabelRegexp = regexp.MustCompile(`^[0-9A-Za-z.\-]+$`)
)

// AddrToIP returns the IP address for a net.Addr; unix domain sockets are treated as IPv4 loopback
func AddrToIP(addr net.Addr) net.IP {
	if tcpaddr, ok := addr.(*net.TCPAddr); ok {
		return tcpaddr.IP.To16()
	} else if _, ok := addr.(*net.UnixAddr); ok {
		return IPv4LoopbackAddress
	} else {
		return nil
	}
}

// IPStringToHostname converts a string representation of an IP address to an IRC-ready hostname
func IPStringToHostname(ipStr string) string {
	if 0 < len(ipStr) && ipStr[0] == ':' {
		// fix for IPv6 hostnames (so they don't start with a colon), same as all other IRCds
		ipStr = "0" + ipStr
	}
	return ipStr
}

// IsHostname returns whether we consider `name` a valid hostname.
func IsHostname(name string) bool {
	name = strings.TrimSuffix(name, ".")
	if len(name) < 1 || len(name) > 253 {
		return false
	}

	// ensure each part of hostname is valid
	for _, part := range strings.Split(name, ".") {
		if len(part) < 1 || len(part) > 63 || strings.HasPrefix(part, "-") || strings.HasSuffix(part, "-") {
			return false
		}
		if !validHostnameLabelRegexp.MatchString(part) {
			return false
		}
	}

	return true
}

// IsServerName returns whether we consider `name` a valid IRC server name.
func IsServerName(name string) bool {
	// IRC server names specifically require a period
	return IsHostname(name) && strings.IndexByte(name, '.') != -1
}

// Convenience to test whether `ip` is contained in any of `nets`.
func IPInNets(ip net.IP, nets []net.IPNet) bool {
	for _, network := range nets {
		if network.Contains(ip) {
			return true
		}
	}
	return false
}

// NormalizeIPToNet represents an address (v4 or v6) as the v6 /128 CIDR
// containing only it.
func NormalizeIPToNet(addr net.IP) (network net.IPNet) {
	// represent ipv4 addresses as ipv6 addresses, using the 4-in-6 prefix
	// (actually this should be a no-op for any address returned by ParseIP)
	addr = addr.To16()
	// the network corresponding to this address is now an ipv6 /128:
	return net.IPNet{
		IP:   addr,
		Mask: mask128,
	}
}

// NormalizeNet normalizes an IPNet to a v6 CIDR, using the 4-in-6 prefix.
// (this is like IP.To16(), but for IPNet instead of IP)
func NormalizeNet(network net.IPNet) (result net.IPNet) {
	if len(network.IP) == 16 {
		return network
	}
	ones, _ := network.Mask.Size()
	return net.IPNet{
		IP: network.IP.To16(),
		// include the 96 bits of the 4-in-6 prefix
		Mask: net.CIDRMask(96+ones, 128),
	}
}

// Given a network, produce a human-readable string
// (i.e., CIDR if it's actually a network, IPv6 address if it's a v6 /128,
// dotted quad if it's a v4 /32).
func NetToNormalizedString(network net.IPNet) string {
	ones, bits := network.Mask.Size()
	if ones == bits && ones == len(network.IP)*8 {
		// either a /32 or a /128, output the address:
		return network.IP.String()
	}
	return network.String()
}

// Parse a human-readable description (an address or CIDR, either v4 or v6)
// into a normalized v6 net.IPNet.
func NormalizedNetFromString(str string) (result net.IPNet, err error) {
	_, network, err := net.ParseCIDR(str)
	if err == nil {
		return NormalizeNet(*network), nil
	}
	ip := net.ParseIP(str)
	if ip == nil {
		err = &net.AddrError{
			Err:  "Couldn't interpret as either CIDR or address",
			Addr: str,
		}
		return
	}
	return NormalizeIPToNet(ip), nil
}

// Parse a list of IPs and nets as they would appear in one of our config
// files, e.g., proxy-allowed-from or a throttling exemption list.
func ParseNetList(netList []string) (nets []net.IPNet, err error) {
	var network net.IPNet
	for _, netStr := range netList {
		if netStr == "localhost" {
			ipv4Loopback, _ := NormalizedNetFromString("127.0.0.0/8")
			ipv6Loopback, _ := NormalizedNetFromString("::1/128")
			nets = append(nets, ipv4Loopback)
			nets = append(nets, ipv6Loopback)
			continue
		}
		network, err = NormalizedNetFromString(netStr)
		if err != nil {
			return
		} else {
			nets = append(nets, network)
		}
	}
	return
}

// Process the X-Forwarded-For header, validating against a list of trusted IPs.
// Returns the address that the request was forwarded for, or nil if no trustworthy
// data was available.
func HandleXForwardedFor(remoteAddr string, xForwardedFor string, whitelist []net.IPNet) (result net.IP) {
	// http.Request.RemoteAddr "has no defined format". with TCP it's typically "127.0.0.1:23784",
	// with unix domain it's typically "@"
	var remoteIP net.IP
	host, _, err := net.SplitHostPort(remoteAddr)
	if err != nil {
		remoteIP = IPv4LoopbackAddress
	} else {
		remoteIP = net.ParseIP(host)
	}

	if remoteIP == nil || !IPInNets(remoteIP, whitelist) {
		return remoteIP
	}

	// walk backwards through the X-Forwarded-For chain looking for an IP
	// that is *not* trusted. that means it was added by one of our trusted
	// forwarders (either remoteIP or something ahead of it in the chain)
	// and we can trust it:
	result = remoteIP
	forwardedIPs := strings.Split(xForwardedFor, ",")
	for i := len(forwardedIPs) - 1; i >= 0; i-- {
		proxiedIP := net.ParseIP(strings.TrimSpace(forwardedIPs[i]))
		if proxiedIP == nil {
			return
		} else if !IPInNets(proxiedIP, whitelist) {
			return proxiedIP
		} else {
			result = proxiedIP
		}
	}

	// no valid untrusted IPs were found in the chain;
	// return either the last valid and trusted IP (which must be the origin),
	// or nil:
	return
}

func DescribeConn(conn net.Conn) string {
	// XXX for unix domain sockets, this is not informative enough for an operator
	// to determine who holds the other side of the connection. there seems to be
	// no way to get either the correct file descriptor of the connection, or the
	// udiag_ino from `man 7 sock_diag`. maybe there's something else we can do?
	return fmt.Sprintf("%s <-> %s", conn.LocalAddr().String(), conn.RemoteAddr().String())
}