Added support for username handling when URL requests are submitted v…

…ia Websense v4 from Cisco ASA using user-identity (Identity Firwall)
jeroennijhof · Aug 3, 2013 · 7ef78b8 · 7ef78b8
1 parent 1c72631
commit 7ef78b8
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 16 deletions.
diff --git a/openufp.c b/openufp.c
@@ -24,6 +24,7 @@ void usage() {
     printf("OPTIONS:\n");
     printf("   -l PORT   on which port openufp will listen for incoming requests\n");
     printf("   -r URL    when url is denied the client will be redirected to this url; n2h2 only\n");
+    printf("   -u	 utilize User Identity info from capable Cisco products. Must use with -w as frontend\n");
     printf("   -c SECS   cache expire time in seconds; default 3600; 0 disables caching\n");
     printf("   -C URL    remove specified URL from cache\n");
     printf("   -d LEVEL  debug level 1-3\n\n");
@@ -46,7 +47,6 @@ void usage() {
     printf("Report bugs to: [email protected]\n\n");
 }
 
-
 // Main function
 int main(int argc, char**argv) {
     int openufp_fd;
@@ -62,9 +62,9 @@ int main(int argc, char**argv) {
     char *proxy_deny_pattern = NULL;
     char *blacklist = NULL;
     int squidguard = 0;
-
+    int usrid = 0;
     int c;
-    while ((c = getopt(argc, argv, "l:r:c:C:d:nwp:f:g")) != -1) {
+    while ((c = getopt(argc, argv, "l:r:c:C:d:nwp:f:gu")) != -1) {
         char *p;
         char hash[10];
         DB *cachedb;
@@ -116,12 +116,15 @@ int main(int argc, char**argv) {
             case 'g':
                 squidguard = 1;
                 break;
+            case 'u':
+                usrid = 1;
+                break;
             default:
                 usage();
                 exit(1);
         }
     }
-    if (frontend == 0 || ((proxy_ip == NULL || proxy_port == 0 || proxy_deny_pattern == NULL)
+    if (frontend == 0 || (frontend != WEBSNS && usrid == 1) || ((proxy_ip == NULL || proxy_port == 0 || proxy_deny_pattern == NULL)
                     && blacklist == NULL && squidguard == 0)) {
         usage();
         exit(1);
@@ -173,6 +176,11 @@ int main(int argc, char**argv) {
     syslog(LOG_INFO, "v%s: Jeroen Nijhof <[email protected]>", VERSION); 
     syslog(LOG_INFO, "started listening on %d, waiting for requests...", local_port); 
 
+    if (usrid == 1 && debug > 0)
+    {
+        printf("openufp started with usrname support\n");
+    }
+
     if ((pid = fork()) == 0) {
         struct sockaddr_in cli_addr;
         socklen_t cli_size;
@@ -222,8 +230,16 @@ int main(int argc, char**argv) {
                         request = n2h2_validate(n2h2_request, msgsize);
                     } else {
                         websns_request = (struct websns_req *)msg;
-                        websns_convert(websns_request, msg, msgsize);
+
+			//secret debug
+                        if(debug > 3)
+			{
+		        	syslog(LOG_INFO, "Websense debug request output: size %d, vers_maj %d, vers_min %d, vers_pat %d, serial %d, code %d, desc %d, srcip %d, dstip %d, urlsize %d, url %s",
+                                                 websns_request->size, websns_request->vers_maj, websns_request->vers_min, websns_request->vers_pat, websns_request->serial, websns_request->code, websns_request->desc, websns_request->srcip, websns_request->dstip, websns_request->urlsize, websns_request->url);
+			}
+                        websns_convert(websns_request, msg, msgsize, debug);
                         request = websns_validate(websns_request, msgsize);
+
                     }
                     if (request.type == UNKNOWN) {
                         syslog(LOG_WARNING, "request type not known, closing connecion.");
@@ -249,7 +265,7 @@ int main(int argc, char**argv) {
                     // URL request
                     if (request.type == N2H2_REQ || request.type == WEBSNS_REQ) {
                         if (debug > 0)
-                            syslog(LOG_INFO, "received url request.");
+                            syslog(LOG_INFO, "received url request: %s", request.url);
 
                         // check if cached
                         get_hash(request.url, hash);
@@ -267,9 +283,17 @@ int main(int argc, char**argv) {
                             denied = proxy_backend(proxy_ip, proxy_port, proxy_deny_pattern, request.url, debug);
                         }
 
-                        // parse url to proxy
+                        // parse url to squidguard
                         if (!cached && !denied && squidguard) {
-                            denied = squidguard_backend(sg_fd, request.srcip, request.url, debug);
+				// check whether srcip or srcip+usrid will be used:
+				if (usrid == 1)
+				{
+					denied = squidguard_backend_uid(sg_fd, request.srcip, request.usr, request.url, debug);
+				}
+				else
+				{
+                          		denied = squidguard_backend(sg_fd, request.srcip, request.url, debug);
+				}
                         }
 
                         if (denied) {
@@ -279,8 +303,18 @@ int main(int argc, char**argv) {
                                 websns_deny(cli_fd, websns_request, redirect_url);
                             }
                             if (debug > 0)
-                                syslog(LOG_INFO, "url denied: srcip %s, dstip %s, url %s",
-                                                 request.srcip, request.dstip, request.url);
+			    {
+				if (usrid == 1)
+				{
+                                	syslog(LOG_INFO, "url denied: srcip %s, srcusr %s, dstip %s, url %s",
+                                                 request.srcip, request.usr, request.dstip, request.url);
+				}
+				else
+				{
+                                        syslog(LOG_INFO, "url denied: srcip %s, dstip %s, url %s",
+                                                request.srcip, request.dstip, request.url);
+				}
+			    }
                         } else {
                             if (frontend == N2H2) {
                                 n2h2_accept(cli_fd, n2h2_request);

diff --git a/openufp.h b/openufp.h
@@ -21,6 +21,7 @@ struct uf_request {
     char srcip[15];
     char dstip[15];
     char url[URL_SIZE];
+    char usr[URL_SIZE];
 };
 
 // cache

diff --git a/websense.c b/websense.c
@@ -72,10 +72,9 @@ void websns_deny(int fd, struct websns_req *websns_request, char *redirect_url)
 }
 
 struct uf_request websns_validate(struct websns_req *websns_request, int msgsize) {
-    struct uf_request request = { 0, {0}, {0}, "" };
+    struct uf_request request = { 0, {0}, {0}, "", "" };
     struct in_addr srcip, dstip;
-    int i;
-
+    int i, j;
     request.type = UNKNOWN;
 
     if (msgsize == WEBSNS_ALIVE_SIZE) {
@@ -89,21 +88,37 @@ struct uf_request websns_validate(struct websns_req *websns_request, int msgsize
         dstip.s_addr = websns_request->dstip;
         snprintf(request.srcip, sizeof(request.srcip), "%s", inet_ntoa(srcip));
         snprintf(request.dstip, sizeof(request.dstip), "%s", inet_ntoa(dstip));
+
         for(i = 0; i < ntohs(websns_request->urlsize); i++)
-            request.url[i] = websns_request->url[i];
+        {
+		request.url[i] = websns_request->url[i];
+	}
+	//get remaining info in payload
+	i = 0;
+	//Offset is 2+10 for the preceding TACACS:/// string
+	for(j = (ntohs(websns_request->urlsize)+12); j < ntohs(websns_request->size); j++)
+	{
+		request.usr[i] = websns_request->url[j];
+		i++;
+	}
+
         return request;
     }
 
     return request;
 }
 
-void websns_convert(struct websns_req *websns_request, char msg[REQ_SIZE], int msgsize) {
+void websns_convert(struct websns_req *websns_request, char msg[REQ_SIZE], int msgsize, int debug) {
     char newmsg[REQ_SIZE];
     int offset = 0;
     int i;
 
     // check if it's version 1
     if (msgsize > WEBSNS_REQ_SIZE && ntohs(websns_request->code) == WEBSNS_REQ && ntohs(websns_request->urlsize) == 0) {
+	if (debug > 2)
+	{
+		syslog(LOG_INFO,"Websense v1 packet received; converting to v4");
+	}
         // convert to version 4
         for (i = 0; i < (msgsize - 2); i++) {
             if (i == 24)

diff --git a/websense.h b/websense.h
@@ -47,5 +47,5 @@ extern void websns_alive(int fd, struct websns_req *websns_request);
 extern void websns_accept(int fd, struct websns_req *websns_request);
 extern void websns_deny(int fd, struct websns_req *websns_request, char *redirect_url);
 extern struct uf_request websns_validate(struct websns_req *websns_request, int msgsize);
-extern void websns_convert(struct websns_req *websns_request, char msg[REQ_SIZE], int msgsize);
+extern void websns_convert(struct websns_req *websns_request, char msg[REQ_SIZE], int msgsize, int debug);