webcit/context_loop.c

   1 /*
   2  * $Id$
   3  *
   4  * This is the other half of the webserver.  It handles the task of hooking
   5  * up HTTP requests with the sessions they belong to, using HTTP cookies to
   6  * keep track of things.  If the HTTP request doesn't belong to any currently
   7  * active session, a new session is started.
   8  *
   9  */
  10
  11 #include "webcit.h"
  12 #include "webserver.h"
  13
  14 /* Only one thread may manipulate SessionList at a time... */
  15 pthread_mutex_t SessionListMutex;
  16
  17 struct wcsession *SessionList = NULL; /**< our sessions ????*/
  18
  19 pthread_key_t MyConKey;         /**< TSD key for MySession() */
  20
  21
  22 /*
  23  * free the memory used for viewing atachments
  24  */
  25 void free_attachments(struct wcsession *sess) {
  26         struct wc_attachment *att;
  27
  28         while (sess->first_attachment != NULL) {
  29                 att = sess->first_attachment;
  30                 sess->first_attachment = sess->first_attachment->next;
  31                 free(att->data);
  32                 free(att);
  33         }
  34 }
  35
  36
  37 void DestroySession(struct wcsession **sessions_to_kill)
  38 {
  39         close((*sessions_to_kill)->serv_sock);
  40         close((*sessions_to_kill)->chat_sock);
  41 //              if ((*sessions_to_kill)->preferences != NULL) {
  42 //                      free((*sessions_to_kill)->preferences);
  43 //              }
  44         if ((*sessions_to_kill)->cache_fold != NULL) {
  45                 free((*sessions_to_kill)->cache_fold);
  46         }
  47         free_attachments((*sessions_to_kill));
  48         free_march_list((*sessions_to_kill));
  49         DeleteHash(&((*sessions_to_kill)->hash_prefs));
  50         DeleteHash(&((*sessions_to_kill)->IconBarSetttings));
  51         DeleteHash(&((*sessions_to_kill)->ServCfg));
  52         FreeStrBuf(&((*sessions_to_kill)->UrlFragment1));
  53         FreeStrBuf(&((*sessions_to_kill)->UrlFragment2));
  54         FreeStrBuf(&((*sessions_to_kill)->WBuf));
  55         FreeStrBuf(&((*sessions_to_kill)->HBuf));
  56
  57         free((*sessions_to_kill));
  58         (*sessions_to_kill) = NULL;
  59 }
  60
  61 void shutdown_sessions(void)
  62 {
  63         struct wcsession *sptr;
  64
  65         for (sptr = SessionList; sptr != NULL; sptr = sptr->next) {
  66                         sptr->killthis = 1;
  67         }
  68 }
  69
  70 void do_housekeeping(void)
  71 {
  72         struct wcsession *sptr, *ss;
  73         struct wcsession *sessions_to_kill = NULL;
  74         int num_sessions = 0;
  75         static int num_threads = MIN_WORKER_THREADS;
  76
  77         /**
  78          * Lock the session list, moving any candidates for euthanasia into
  79          * a separate list.
  80          */
  81         pthread_mutex_lock(&SessionListMutex);
  82         num_sessions = 0;
  83         for (sptr = SessionList; sptr != NULL; sptr = sptr->next) {
  84                 ++num_sessions;
  85
  86                 /** Kill idle sessions */
  87                 if ((time(NULL) - (sptr->lastreq)) >
  88                    (time_t) WEBCIT_TIMEOUT) {
  89                         sptr->killthis = 1;
  90                 }
  91
  92                 /** Remove sessions flagged for kill */
  93                 if (sptr->killthis) {
  94
  95                         /** remove session from linked list */
  96                         if (sptr == SessionList) {
  97                                 SessionList = SessionList->next;
  98                         }
  99                         else for (ss=SessionList;ss!=NULL;ss=ss->next) {
 100                                 if (ss->next == sptr) {
 101                                         ss->next = ss->next->next;
 102                                 }
 103                         }
 104
 105                         sptr->next = sessions_to_kill;
 106                         sessions_to_kill = sptr;
 107                 }
 108         }
 109         pthread_mutex_unlock(&SessionListMutex);
 110
 111         /**
 112          * Now free up and destroy the culled sessions.
 113          */
 114         while (sessions_to_kill != NULL) {
 115                 lprintf(3, "Destroying session %d\n", sessions_to_kill->wc_session);
 116                 pthread_mutex_lock(&sessions_to_kill->SessionMutex);
 117                 pthread_mutex_unlock(&sessions_to_kill->SessionMutex);
 118                 sptr = sessions_to_kill->next;
 119
 120                 DestroySession(&sessions_to_kill);
 121                 sessions_to_kill = sptr;
 122                 --num_sessions;
 123         }
 124
 125         /**
 126          * If there are more sessions than threads, then we should spawn
 127          * more threads ... up to a predefined maximum.
 128          */
 129         while ( (num_sessions > num_threads)
 130               && (num_threads <= MAX_WORKER_THREADS) ) {
 131                 spawn_another_worker_thread();
 132                 ++num_threads;
 133                 lprintf(3, "There are %d sessions and %d threads active.\n",
 134                         num_sessions, num_threads);
 135         }
 136 }
 137
 138
 139 /**
 140  * \brief Wake up occasionally and clean house
 141  */
 142 void housekeeping_loop(void)
 143 {
 144         while (1) {
 145                 sleeeeeeeeeep(HOUSEKEEPING);
 146                 do_housekeeping();
 147         }
 148 }
 149
 150
 151 /**
 152  * \brief Create a Session id
 153  * Generate a unique WebCit session ID (which is not the same thing as the
 154  * Citadel session ID).
 155  *
 156  * \todo FIXME ... ensure that session number is truly unique
 157  *
 158  */
 159 int GenerateSessionID(void)
 160 {
 161         static int seq = (-1);
 162
 163         if (seq < 0) {
 164                 seq = (int) time(NULL);
 165         }
 166
 167         return ++seq;
 168 }
 169
 170
 171 /*
 172  * Collapse multiple cookies on one line
 173  */
 174 int req_gets(int *sock, char *buf, char *hold, size_t hlen)
 175 {
 176         int a, b;
 177
 178         if (IsEmptyStr(hold)) {
 179                 strcpy(buf, "");
 180                 a = client_getln(sock, buf, SIZ);
 181                 if (a<1) return(-1);
 182         } else {
 183                 safestrncpy(buf, hold, SIZ);
 184         }
 185         strcpy(hold, "");
 186
 187         if (!strncasecmp(buf, "Cookie: ", 8)) {
 188                 int len;
 189                 len = strlen(buf);
 190                 for (a = 0; a < len; ++a)
 191                         if (buf[a] == ';') {
 192                                 // we don't refresh len, because of we
 193                                 // only exit from here.
 194                                 snprintf(hold, hlen, "Cookie: %s", &buf[a + 1]);
 195                                 buf[a] = 0;
 196                                 b = 8;
 197                                 while (isspace(hold[b]))
 198                                         b++;
 199
 200                                 memmove(&hold[8], &hold[b], len - b + 1);
 201                                 return(0);
 202                         }
 203         }
 204
 205         return(0);
 206 }
 207
 208 /*
 209  * lingering_close() a`la Apache. see
 210  * http://www.apache.org/docs/misc/fin_wait_2.html for rationale
 211  */
 212 int lingering_close(int fd)
 213 {
 214         char buf[SIZ];
 215         int i;
 216         fd_set set;
 217         struct timeval tv, start;
 218
 219         gettimeofday(&start, NULL);
 220         shutdown(fd, 1);
 221         do {
 222                 do {
 223                         gettimeofday(&tv, NULL);
 224                         tv.tv_sec = SLEEPING - (tv.tv_sec - start.tv_sec);
 225                         tv.tv_usec = start.tv_usec - tv.tv_usec;
 226                         if (tv.tv_usec < 0) {
 227                                 tv.tv_sec--;
 228                                 tv.tv_usec += 1000000;
 229                         }
 230                         FD_ZERO(&set);
 231                         FD_SET(fd, &set);
 232                         i = select(fd + 1, &set, NULL, NULL, &tv);
 233                 } while (i == -1 && errno == EINTR);
 234
 235                 if (i <= 0)
 236                         break;
 237
 238                 i = read(fd, buf, sizeof buf);
 239         } while (i != 0 && (i != -1 || errno == EINTR));
 240
 241         return close(fd);
 242 }
 243
 244
 245
 246 /**
 247  * \brief       sanity requests
 248  *              Check for bogus requests coming from brain-dead Windows boxes.
 249  *
 250  * \param       http_cmd        The HTTP request to check
 251  */
 252 int is_bogus(char *http_cmd) {
 253         char *url;
 254         int i, max;
 255
 256         url = strstr(http_cmd, " ");
 257         if (url == NULL) return(1);
 258         ++url;
 259
 260         char *bogus_prefixes[] = {
 261                 "/scripts/root.exe",    /**< Worms and trojans and viruses, oh my! */
 262                 "/c/winnt",
 263                 "/MSADC/",
 264                 "/_vti",                /**< Broken Microsoft DAV implementation */
 265                 "/MSOffice"             /**< Stoopid MSOffice thinks everyone is IIS */
 266         };
 267
 268         max = sizeof(bogus_prefixes) / sizeof(char *);
 269
 270         for (i=0; i<max; ++i) {
 271                 if (!strncasecmp(url, bogus_prefixes[i], strlen(bogus_prefixes[i]))) {
 272                         return(2);
 273                 }
 274         }
 275
 276         return(0);      /* probably ok */
 277 }
 278
 279
 280
 281 /**
 282  * \brief handle one request
 283  * This loop gets called once for every HTTP connection made to WebCit.  At
 284  * this entry point we have an HTTP socket with a browser allegedly on the
 285  * other end, but we have not yet bound to a WebCit session.
 286  *
 287  * The job of this function is to locate the correct session and bind to it,
 288  * or create a session if necessary and bind to it, then run the WebCit
 289  * transaction loop.  Afterwards, we unbind from the session.  When this
 290  * function returns, the worker thread is then free to handle another
 291  * transaction.
 292  * \param sock the socket we will put our answer to
 293  */
 294 void context_loop(int *sock)
 295 {
 296         struct httprequest *req = NULL;
 297         struct httprequest *last = NULL;
 298         struct httprequest *hptr;
 299         char buf[SIZ], hold[SIZ];
 300         int desired_session = 0;
 301         int got_cookie = 0;
 302         int gzip_ok = 0;
 303         struct wcsession *TheSession, *sptr;
 304         char httpauth_string[1024];
 305         char httpauth_user[1024];
 306         char httpauth_pass[1024];
 307         char accept_language[256];
 308         char *ptr = NULL;
 309         int session_is_new = 0;
 310
 311         strcpy(httpauth_string, "");
 312         strcpy(httpauth_user, DEFAULT_HTTPAUTH_USER);
 313         strcpy(httpauth_pass, DEFAULT_HTTPAUTH_PASS);
 314
 315         /**
 316          * Find out what it is that the web browser is asking for
 317          */
 318         memset(hold, 0, sizeof(hold));
 319         do {
 320                 if (req_gets(sock, buf, hold, SIZ) < 0) return;
 321
 322                 /**
 323                  * Can we compress?
 324                  */
 325                 if (!strncasecmp(buf, "Accept-encoding:", 16)) {
 326                         if (strstr(&buf[16], "gzip")) {
 327                                 gzip_ok = 1;
 328                         }
 329                 }
 330
 331                 /**
 332                  * Browser-based sessions use cookies for session authentication
 333                  */
 334                 if (!strncasecmp(buf, "Cookie: webcit=", 15)) {
 335                         cookie_to_stuff(&buf[15], &desired_session,
 336                                 NULL, 0, NULL, 0, NULL, 0);
 337                         got_cookie = 1;
 338                 }
 339
 340                 /**
 341                  * GroupDAV-based sessions use HTTP authentication
 342                  */
 343                 if (!strncasecmp(buf, "Authorization: Basic ", 21)) {
 344                         CtdlDecodeBase64(httpauth_string, &buf[21], strlen(&buf[21]));
 345                         extract_token(httpauth_user, httpauth_string, 0, ':', sizeof httpauth_user);
 346                         extract_token(httpauth_pass, httpauth_string, 1, ':', sizeof httpauth_pass);
 347                 }
 348
 349                 if (!strncasecmp(buf, "If-Modified-Since: ", 19)) {
 350                         if_modified_since = httpdate_to_timestamp(&buf[19]);
 351                 }
 352
 353                 if (!strncasecmp(buf, "Accept-Language: ", 17)) {
 354                         safestrncpy(accept_language, &buf[17], sizeof accept_language);
 355                 }
 356
 357                 /**
 358                  * Read in the request
 359                  */
 360                 hptr = (struct httprequest *)
 361                         malloc(sizeof(struct httprequest));
 362                 if (req == NULL)
 363                         req = hptr;
 364                 else
 365                         last->next = hptr;
 366                 hptr->next = NULL;
 367                 last = hptr;
 368
 369                 safestrncpy(hptr->line, buf, sizeof hptr->line);
 370
 371         } while (!IsEmptyStr(buf));
 372
 373         /**
 374          * If the request is prefixed by "/webcit" then chop that off.  This
 375          * allows a front end web server to forward all /webcit requests to us
 376          * while still using the same web server port for other things.
 377          */
 378
 379         ptr = strstr(req->line, " /webcit ");   /*< Handle "/webcit" */
 380         if (ptr != NULL) {
 381                 strcpy(ptr+2, ptr+8);
 382         }
 383
 384         ptr = strstr(req->line, " /webcit");    /*< Handle "/webcit/" */
 385         if (ptr != NULL) {
 386                 strcpy(ptr+1, ptr+8);
 387         }
 388
 389         safestrncpy(buf, req->line, sizeof buf);
 390         /** Begin parsing the request. */
 391 #ifdef TECH_PREVIEW
 392         if ((strncmp(req->line+4, "/sslg", 5) != 0) &&
 393             (strncmp(req->line+4, "/wholist_section", 16) != 0)) {
 394 #endif
 395                 lprintf(5, "HTTP: %s\n", buf);
 396 #ifdef TECH_PREVIEW
 397         }
 398 #endif
 399
 400         /** Check for bogus requests */
 401         if (is_bogus(buf)) {
 402                 strcpy(req->line, "GET /404 HTTP/1.1");
 403                 strcpy(buf, "GET /404 HTTP/1.1");
 404         }
 405
 406         /**
 407          * Strip out the method, leaving the URL up front...
 408          */
 409         remove_token(buf, 0, ' ');
 410         if (buf[1]==' ') buf[1]=0;
 411
 412         /**
 413          * While we're at it, gracefully handle requests for the
 414          * robots.txt and favicon.ico files.
 415          */
 416         if (!strncasecmp(buf, "/robots.txt", 11)) {
 417                 strcpy(req->line, "GET /static/robots.txt"
 418                                 "?force_close_session=yes HTTP/1.1");
 419         }
 420         else if (!strncasecmp(buf, "/favicon.ico", 12)) {
 421                 strcpy(req->line, "GET /static/favicon.ico");
 422         }
 423
 424         /**
 425          * These are the URL's which may be executed without a
 426          * session cookie already set.  If it's not one of these,
 427          * force the session to close because cookies are
 428          * probably disabled on the client browser.
 429          */
 430         else if ( (strcmp(buf, "/"))
 431                 && (strncasecmp(buf, "/listsub", 8))
 432                 && (strncasecmp(buf, "/freebusy", 9))
 433                 && (strncasecmp(buf, "/do_logout", 10))
 434                 && (strncasecmp(buf, "/groupdav", 9))
 435                 && (strncasecmp(buf, "/static", 7))
 436                 && (strncasecmp(buf, "/rss", 4))
 437                 && (strncasecmp(buf, "/404", 4))
 438                 && (got_cookie == 0)) {
 439                 strcpy(req->line, "GET /static/nocookies.html"
 440                                 "?force_close_session=yes HTTP/1.1");
 441         }
 442
 443         /**
 444          * See if there's an existing session open with the desired ID or user/pass
 445          */
 446         TheSession = NULL;
 447
 448         if (TheSession == NULL) {
 449                 pthread_mutex_lock(&SessionListMutex);
 450                 for (sptr = SessionList; sptr != NULL; sptr = sptr->next) {
 451
 452                         /** If HTTP-AUTH, look for a session with matching credentials */
 453                         if ( (!IsEmptyStr(httpauth_user))
 454                            &&(!strcasecmp(sptr->httpauth_user, httpauth_user))
 455                            &&(!strcasecmp(sptr->httpauth_pass, httpauth_pass)) ) {
 456                                 TheSession = sptr;
 457                         }
 458
 459                         /** If cookie-session, look for a session with matching session ID */
 460                         if ( (desired_session != 0) && (sptr->wc_session == desired_session)) {
 461                                 TheSession = sptr;
 462                         }
 463
 464                 }
 465                 pthread_mutex_unlock(&SessionListMutex);
 466         }
 467
 468         /**
 469          * Create a new session if we have to
 470          */
 471         if (TheSession == NULL) {
 472                 lprintf(3, "Creating a new session\n");
 473                 TheSession = (struct wcsession *)
 474                         malloc(sizeof(struct wcsession));
 475                 memset(TheSession, 0, sizeof(struct wcsession));
 476                 TheSession->serv_sock = (-1);
 477                 TheSession->chat_sock = (-1);
 478
 479                 /* If we're recreating a session that expired, it's best to give it the same
 480                  * session number that it had before.  The client browser ought to pick up
 481                  * the new session number and start using it, but in some rare situations it
 482                  * doesn't, and that's a Bad Thing because it causes lots of spurious sessions
 483                  * to get created.
 484                  */
 485                 if (desired_session == 0) {
 486                         TheSession->wc_session = GenerateSessionID();
 487                 }
 488                 else {
 489                         TheSession->wc_session = desired_session;
 490                 }
 491
 492                 strcpy(TheSession->httpauth_user, httpauth_user);
 493                 strcpy(TheSession->httpauth_pass, httpauth_pass);
 494                 TheSession->hash_prefs = NewHash(1,NULL);       /* Get a hash table for the user preferences */
 495                 pthread_mutex_init(&TheSession->SessionMutex, NULL);
 496                 pthread_mutex_lock(&SessionListMutex);
 497                 TheSession->urlstrings = NULL;
 498                 TheSession->vars = NULL;
 499                 TheSession->nonce = rand();
 500                 TheSession->WBuf = NULL;
 501                 TheSession->next = SessionList;
 502                 SessionList = TheSession;
 503                 pthread_mutex_unlock(&SessionListMutex);
 504                 session_is_new = 1;
 505         }
 506
 507         /*
 508          * A future improvement might be to check the session integrity
 509          * at this point before continuing.
 510          */
 511
 512         /*
 513          * Bind to the session and perform the transaction
 514          */
 515         pthread_mutex_lock(&TheSession->SessionMutex);          /* bind */
 516         pthread_setspecific(MyConKey, (void *)TheSession);
 517
 518         TheSession->urlstrings = NewHash(1,NULL);
 519         TheSession->vars = NewHash(1,NULL);
 520         TheSession->http_sock = *sock;
 521         TheSession->lastreq = time(NULL);                       /* log */
 522         TheSession->gzip_ok = gzip_ok;
 523 #ifdef ENABLE_NLS
 524         if (session_is_new) {
 525                 httplang_to_locale(accept_language);
 526         }
 527         go_selected_language();                                 /* set locale */
 528 #endif
 529         session_loop(req);                                      /* do transaction */
 530 #ifdef ENABLE_NLS
 531         stop_selected_language();                               /* unset locale */
 532 #endif
 533         DeleteHash(&TheSession->urlstrings);
 534         DeleteHash(&TheSession->vars);
 535         FreeStrBuf(&TheSession->WBuf);
 536         FreeStrBuf(&TheSession->HBuf);
 537
 538
 539         pthread_mutex_unlock(&TheSession->SessionMutex);        /* unbind */
 540
 541         /* Free the request buffer */
 542         while (req != NULL) {
 543                 hptr = req->next;
 544                 free(req);
 545                 req = hptr;
 546         }
 547
 548         /*
 549          * Free up any session-local substitution variables which
 550          * were set during this transaction
 551          */
 552
 553
 554 }