New rw snmp variable clientBan allows to set bans via snmp

* src/varnish_mib.mib2c: Add support for rw variables.
* src/Makefile.am (varnish_mib_la_SOURCES): Add new files.
* src/VARNISH-MIB.txt (clientBan): New OID.
* src/auth.c: New file.
* src/ban.c: New file.
* src/sha256.c: New file.
* src/sha256.h: New file.
* src/varnish_mib.h: New file.
* src/vcli.c: New file.

9 files changed, 1481 insertions, 46 deletions

diff --git a/src/Makefile.am b/src/Makefile.am
index 4efd22c..439cdb3 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -20,3 +20,9 @@ dlmod_LTLIBRARIES = varnish-mib.la
 varnish_mib_la_SOURCES = \
- varnish_mib.c
+ auth.c\
+ ban.c\
+ sha256.c\
+ sha256.h\
+ varnish_mib.c\
+ varnish_mib.h\
+ vcli.c
 
diff --git a/src/VARNISH-MIB.txt b/src/VARNISH-MIB.txt
index 0ec5dac..01def5c 100644
--- a/src/VARNISH-MIB.txt
+++ b/src/VARNISH-MIB.txt
@@ -72,2 +72,10 @@ clientCacheMisses OBJECT-TYPE
 
+clientBan OBJECT-TYPE
+        SYNTAX  OCTET STRING (SIZE(0..1024))
+        MAX-ACCESS  read-write
+        STATUS      current
+        DESCRIPTION
+                "FIXME"
+        ::= { client 6 }
+        
 connections OBJECT IDENTIFIER    ::= { backend 1 }
@@ -203,2 +211,3 @@ varnishGroup OBJECT-GROUP
                 clientCacheMisses,
+                clientBan,
                 backendConnSuccess,
diff --git a/src/auth.c b/src/auth.c
new file mode 100644
index 0000000..9ef90ac
--- /dev/null
+++ b/src/auth.c
@@ -0,0 +1,63 @@
+/* This file is part of varnish-mib -*- c -*-
+   Copyright (C) 2014 Sergey Poznyakoff
+
+   Varnish-mib is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3, or (at your option)
+   any later version.
+
+   Varnish-mib is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with varnish-mib.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "varnish_mib.h"
+#include "sha256.h"
+#include <unistd.h>
+#include <fcntl.h>
+#include <assert.h>
+#include <errno.h>
+
+void
+varnish_auth_response_fd(int fd, const char *challenge,
+                         char response[CLI_AUTH_RESPONSE_LEN + 1])
+{
+        struct sha256_ctx ctx;
+        uint8_t buf[BUFSIZ];
+        int i;
+
+        assert(CLI_AUTH_RESPONSE_LEN == (SHA256_DIGEST_SIZE * 2));
+
+        sha256_init_ctx(&ctx);
+        sha256_process_bytes(challenge, 32, &ctx);
+        sha256_process_bytes("\n", 1, &ctx);
+        do {
+                i = read(fd, buf, sizeof buf);
+                if (i > 0)
+                        sha256_process_bytes(buf, i, &ctx);
+        } while (i > 0);
+        sha256_process_bytes(challenge, 32, &ctx);
+        sha256_process_bytes("\n", 1, &ctx);
+        sha256_finish_ctx(&ctx, buf);
+        for (i = 0; i < SHA256_DIGEST_SIZE; i++)
+                sprintf(response + 2 * i, "%02x", buf[i]);
+}
+
+int
+varnish_auth_response(const char *file, const char *challenge,
+                      char response[CLI_AUTH_RESPONSE_LEN + 1])
+{
+        int fd = open(file, O_RDONLY);
+        if (fd == -1) {
+                snmp_log(LOG_ERR, "can't open secret file %s: %s\n",
+                         file, strerror(errno));
+                return -1;
+        }
+        varnish_auth_response_fd(fd, challenge, response);
+        close(fd);
+        return 0;
+}
diff --git a/src/ban.c b/src/ban.c
new file mode 100644
index 0000000..a091e37
--- /dev/null
+++ b/src/ban.c
@@ -0,0 +1,62 @@
+/* This file is part of varnish-mib -*- c -*-
+   Copyright (C) 2014 Sergey Poznyakoff
+
+   Varnish-mib is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3, or (at your option)
+   any later version.
+
+   Varnish-mib is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with varnish-mib.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "varnish_mib.h"
+
+static int
+send_ban_cmd(vcli_conn_t *conn, const char *expr)
+{
+        if (vcli_asprintf(conn, "ban %s\n", expr) || vcli_write(conn))
+                return 1;
+
+        if (vcli_read_response(conn))
+                return 1;
+        
+        if (conn->resp != CLIS_OK) {
+                snmp_log(LOG_ERR, "command rejected: %u %s\n",
+                         conn->resp, conn->base);
+                return 1;
+        }
+        return 0;
+}
+
+int
+varnish_ban(netsnmp_agent_request_info   *reqinfo,
+            netsnmp_request_info         *requests,
+            struct VSM_data              *vd)
+{
+        int rc;
+        struct vcli_conn conn;
+        size_t len = requests->requestvb->val_len;
+        char *expr = malloc(len + 1);
+        
+        if (!expr) {
+                snmp_log(LOG_ERR, "out of memory\n");
+                return SNMP_ERR_GENERR;
+        }
+        memcpy(expr, requests->requestvb->val.string, len);
+        expr[len] = 0;
+        DEBUGMSGTL(("vcli_mib", "ban %s\n", expr));
+        rc = vcli_connect(vd, &conn);
+        if (rc == SNMP_ERR_NOERROR) {
+                rc = send_ban_cmd(&conn, expr);
+                vcli_disconnect(&conn);
+        }
+        free(expr);
+        return rc ? SNMP_ERR_GENERR : SNMP_ERR_NOERROR;
+}
+
diff --git a/src/sha256.c b/src/sha256.c
new file mode 100644
index 0000000..bcb5f74
--- /dev/null
+++ b/src/sha256.c
@@ -0,0 +1,570 @@
+/* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
+   memory blocks according to the NIST specification FIPS-180-2.
+
+   Copyright (C) 2005-2006, 2008-2013 Free Software Foundation, Inc.
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
+
+/* Written by David Madore, considerably copypasting from
+   Scott G. Miller's sha1.c
+*/
+
+#include <config.h>
+
+#include "sha256.h"
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#if USE_UNLOCKED_IO
+# include "unlocked-io.h"
+#endif
+
+#ifdef WORDS_BIGENDIAN
+# define SWAP(n) (n)
+#else
+# define SWAP(n) \
+    (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
+#endif
+
+#define BLOCKSIZE 32768
+#if BLOCKSIZE % 64 != 0
+# error "invalid BLOCKSIZE"
+#endif
+
+/* This array contains the bytes used to pad the buffer to the next
+   64-byte boundary.  */
+static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ...  */ };
+
+
+/*
+  Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
+  initializes it to the start constants of the SHA256 algorithm.  This
+  must be called before using hash in the call to sha256_hash
+*/
+void
+sha256_init_ctx (struct sha256_ctx *ctx)
+{
+  ctx->state[0] = 0x6a09e667UL;
+  ctx->state[1] = 0xbb67ae85UL;
+  ctx->state[2] = 0x3c6ef372UL;
+  ctx->state[3] = 0xa54ff53aUL;