mirror
/
oragono
镜像来自 https://github.com/oragono/oragono


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
							// Copyright (c) 2012-2014 Jeremy Latt
// Copyright (c) 2016 Daniel Oaks <daniel@danieloaks.net>
// released under the MIT license

package utils

import (
	"fmt"
	"net"
	"regexp"
	"strings"
	"syscall"
)

var (
	// subnet mask for an ipv6 /128:
	mask128             = net.CIDRMask(128, 128)
	IPv4LoopbackAddress = net.ParseIP("127.0.0.1").To16()

	validHostnameLabelRegexp = regexp.MustCompile(`^[0-9A-Za-z.\-]+$`)
)

// AddrToIP returns the IP address for a net.Addr; unix domain sockets are treated as IPv4 loopback
func AddrToIP(addr net.Addr) net.IP {
	if tcpaddr, ok := addr.(*net.TCPAddr); ok {
		return tcpaddr.IP.To16()
	} else if _, ok := addr.(*net.UnixAddr); ok {
		return IPv4LoopbackAddress
	} else {
		return nil
	}
}

// IPStringToHostname converts a string representation of an IP address to an IRC-ready hostname
func IPStringToHostname(ipStr string) string {
	if 0 < len(ipStr) && ipStr[0] == ':' {
		// fix for IPv6 hostnames (so they don't start with a colon), same as all other IRCds
		ipStr = "0" + ipStr
	}
	return ipStr
}

// IsHostname returns whether we consider `name` a valid hostname.
func IsHostname(name string) bool {
	name = strings.TrimSuffix(name, ".")
	if len(name) < 1 || len(name) > 253 {
		return false
	}

	// ensure each part of hostname is valid
	for _, part := range strings.Split(name, ".") {
		if len(part) < 1 || len(part) > 63 || strings.HasPrefix(part, "-") || strings.HasSuffix(part, "-") {
			return false
		}
		if !validHostnameLabelRegexp.MatchString(part) {
			return false
		}
	}

	return true
}

// IsServerName returns whether we consider `name` a valid IRC server name.
func IsServerName(name string) bool {
	// IRC server names specifically require a period
	return IsHostname(name) && strings.IndexByte(name, '.') != -1
}

// Convenience to test whether `ip` is contained in any of `nets`.
func IPInNets(ip net.IP, nets []net.IPNet) bool {
	for _, network := range nets {
		if network.Contains(ip) {
			return true
		}
	}
	return false
}

// NormalizeIPToNet represents an address (v4 or v6) as the v6 /128 CIDR
// containing only it.
func NormalizeIPToNet(addr net.IP) (network net.IPNet) {
	// represent ipv4 addresses as ipv6 addresses, using the 4-in-6 prefix
	// (actually this should be a no-op for any address returned by ParseIP)
	addr = addr.To16()
	// the network corresponding to this address is now an ipv6 /128:
	return net.IPNet{
		IP:   addr,
		Mask: mask128,
	}
}

// NormalizeNet normalizes an IPNet to a v6 CIDR, using the 4-in-6 prefix.
// (this is like IP.To16(), but for IPNet instead of IP)
func NormalizeNet(network net.IPNet) (result net.IPNet) {
	if len(network.IP) == 16 {
		return network
	}
	ones, _ := network.Mask.Size()
	return net.IPNet{
		IP: network.IP.To16(),
		// include the 96 bits of the 4-in-6 prefix
		Mask: net.CIDRMask(96+ones, 128),
	}
}

// Given a network, produce a human-readable string
// (i.e., CIDR if it's actually a network, IPv6 address if it's a v6 /128,
// dotted quad if it's a v4 /32).
func NetToNormalizedString(network net.IPNet) string {
	ones, bits := network.Mask.Size()
	if ones == bits && ones == len(network.IP)*8 {
		// either a /32 or a /128, output the address:
		return network.IP.String()
	}
	return network.String()
}

// Parse a human-readable description (an address or CIDR, either v4 or v6)
// into a normalized v6 net.IPNet.
func NormalizedNetFromString(str string) (result net.IPNet, err error) {
	_, network, err := net.ParseCIDR(str)
	if err == nil {
		return NormalizeNet(*network), nil
	}
	ip := net.ParseIP(str)
	if ip == nil {
		err = &net.AddrError{
			Err:  "Couldn't interpret as either CIDR or address",
			Addr: str,
		}
		return
	}
	return NormalizeIPToNet(ip), nil
}

// Parse a list of IPs and nets as they would appear in one of our config
// files, e.g., proxy-allowed-from or a throttling exemption list.
func ParseNetList(netList []string) (nets []net.IPNet, err error) {
	var network net.IPNet
	for _, netStr := range netList {
		if netStr == "localhost" {
			ipv4Loopback, _ := NormalizedNetFromString("127.0.0.0/8")
			ipv6Loopback, _ := NormalizedNetFromString("::1/128")
			nets = append(nets, ipv4Loopback)
			nets = append(nets, ipv6Loopback)
			continue
		}
		network, err = NormalizedNetFromString(netStr)
		if err != nil {
			return
		} else {
			nets = append(nets, network)
		}
	}
	return
}

// Process the X-Forwarded-For header, validating against a list of trusted IPs.
// Returns the address that the request was forwarded for, or nil if no trustworthy
// data was available.
func HandleXForwardedFor(remoteAddr string, xForwardedFor string, whitelist []net.IPNet) (result net.IP) {
	// http.Request.RemoteAddr "has no defined format". with TCP it's typically "127.0.0.1:23784",
	// with unix domain it's typically "@"
	var remoteIP net.IP
	host, _, err := net.SplitHostPort(remoteAddr)
	if err != nil {
		remoteIP = IPv4LoopbackAddress
	} else {
		remoteIP = net.ParseIP(host)
	}

	if remoteIP == nil || !IPInNets(remoteIP, whitelist) {
		return remoteIP
	}

	// walk backwards through the X-Forwarded-For chain looking for an IP
	// that is *not* trusted. that means it was added by one of our trusted
	// forwarders (either remoteIP or something ahead of it in the chain)
	// and we can trust it:
	result = remoteIP
	forwardedIPs := strings.Split(xForwardedFor, ",")
	for i := len(forwardedIPs) - 1; i >= 0; i-- {
		proxiedIP := net.ParseIP(strings.TrimSpace(forwardedIPs[i]))
		if proxiedIP == nil {
			return
		} else if !IPInNets(proxiedIP, whitelist) {
			return proxiedIP
		} else {
			result = proxiedIP
		}
	}

	// no valid untrusted IPs were found in the chain;
	// return either the last valid and trusted IP (which must be the origin),
	// or nil:
	return
}

// Output a description of a connection that can identify it to other systems
// administration tools.
func DescribeConn(c net.Conn) (description string) {
	description = "<error>"
	switch conn := c.(type) {
	case *net.UnixConn:
		f, err := conn.File()
		if err != nil {
			return
		}
		defer f.Close()
		ucred, err := syscall.GetsockoptUcred(int(f.Fd()), syscall.SOL_SOCKET, syscall.SO_PEERCRED)
		if err != nil {
			return
		}
		return fmt.Sprintf("%s <-> %s [pid=%d, uid=%d]", conn.LocalAddr().String(), conn.RemoteAddr().String(), ucred.Pid, ucred.Uid)
	default:
		// *net.TCPConn or *tls.Conn
		return fmt.Sprintf("%s <-> %s", conn.LocalAddr().String(), conn.RemoteAddr().String())
	}
}