mod_webgate/mod_webgate.c

/*
SPDX-License-Identifier: AGPL-3.0-or-later
Copyright (C) 2026 mrkubax10 <mrkubax10@onet.pl>
*/

#include <apr_base64.h>
#include <httpd.h>
#include <http_core.h>
#include <http_protocol.h>
#include <http_log.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <util_cookies.h>
#include <util_md5.h>

#define MAX_TOKEN_LENGTH 30
#define TRACKED_TOKEN_COUNT 1000 // TODO: Allow changing this in server configuration

static const char* const TOKEN_COOKIE_NAME = "webgate_token";

typedef struct TokenArray {
	char* tokens;
	size_t count;
} TokenArray;

static void token_array_init(TokenArray* self) {
	self->tokens = calloc(TRACKED_TOKEN_COUNT, MAX_TOKEN_LENGTH);
	memset(self->tokens, 0, TRACKED_TOKEN_COUNT*MAX_TOKEN_LENGTH);
	self->count = 0;
}

static void token_array_push(TokenArray* self, const char* token) {
	strncpy(&self->tokens[self->count*MAX_TOKEN_LENGTH], token, MAX_TOKEN_LENGTH);
	self->count++;

	// Wrap around when array gets full
	if(self->count>=TRACKED_TOKEN_COUNT)
		self->count = 0;
}

// Checks if token array contains token
static bool token_array_contains(const TokenArray* self, const char* token) {
	for(size_t i = 0; i<self->count; i++) {
		if(strcmp(&self->tokens[i*MAX_TOKEN_LENGTH], token)==0)
			return true;
	}
	return false;
}

static TokenArray g_allowed_tokens = {0};
static TokenArray g_blocked_tokens = {0};

// Returns true if user agent of client which performed the request looks like Git
static bool check_user_agent_exception(request_rec* r) {
	static const char GIT_USER_AGENT_PREFIX[] = "git/";
	const char* const user_agent = apr_table_get(r->headers_in, "User-Agent");
	if(!user_agent || strncmp(user_agent, GIT_USER_AGENT_PREFIX, sizeof(GIT_USER_AGENT_PREFIX))!=0)
		return false;
	return apr_table_get(r->headers_in, "Git-Protocol");
}

static const char* generate_token(apr_pool_t* pool) {
	char rnd[32];
	apr_generate_random_bytes(rnd, sizeof(rnd));
	char rnd_md5[APR_MD5_DIGESTSIZE];
	apr_md5(rnd_md5, rnd, sizeof(rnd));

	const apr_size_t encoded_size = apr_base64_encode_len(sizeof(rnd_md5));
	char* output = apr_palloc(pool, encoded_size);
	apr_base64_encode(output, rnd_md5, sizeof(rnd_md5));
	return output;
}

// Generates new token and sets HTTP cookie containing it then presents client with challenge
static void handle_challenge(request_rec* r) {
	const char* const generated = generate_token(r->pool);
	ap_cookie_write(r, TOKEN_COOKIE_NAME, generated, NULL, 0, r->headers_out, NULL);

	// Send challenge page beginning
	ap_set_content_type(r, "text/html");
	ap_rvputs(r, "<!DOCTYPE HTML>"
		"<html lang=\"en\">"
		"<head>"
		"<title>mod_webgate</title>"
		"</head>"
		"<body>"
		"<h5>mod_webgate: Please select appropriate option</h5>",
		NULL
	);

	static const char* OPTION_STRINGS[] = {
		"<a href=\"/fail\">I would like to access this server</a><br>",
		"<a href=\"/success\">I would not like to access this server</a><br>",
	};
	unsigned char option_order[] = {
		1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0
	};

	// Randomize options order
	for(size_t i = 0; i<sizeof(option_order); i++) {
		char swap_index;
		apr_generate_random_bytes(&swap_index, 1);
		swap_index%=sizeof(option_order);
		if(swap_index==0)
			swap_index = 1;
		// Temporary value for swap
		unsigned char temp = option_order[1];
		option_order[1] = option_order[swap_index];
		option_order[swap_index] = temp;
	}

	// Send options
	for(size_t i = 0; i<sizeof(option_order); i++)
		ap_rvputs(r, OPTION_STRINGS[option_order[i]], NULL);

	// Finish page
	ap_rvputs(r, "</body>"
		"</html>",
		NULL
	);
}

static void handle_verification(request_rec* r) {
	// Send information about access granted
	ap_set_content_type(r, "text/html");
	ap_rvputs(r, "<!DOCTYPE HTML>"
		"<html lang=\"en\">"
		"<head>"
		"<title>mod_webgate</title>"
		"</head>"
		"<body>"
		"<h5>mod_webgate: Challenge successful</h5>"
		"<a href=\"/\">Click here to go to main page</a>"
		"</body>"
		"</html>",
		NULL
	);
}

static void handle_blocked(request_rec* r) {
	// Send information about access rejection
	ap_set_content_type(r, "text/html");
	ap_rvputs(r, "<!DOCTYPE HTML>"
		"<html lang=\"en\">"
		"<head>"
		"<title>mod_webgate</title>"
		"</head>"
		"<body>"
		"Fuck off clanker"
		"</body>"
		"</html>",
		NULL
	);
}

static apr_status_t post_config_hook(apr_pool_t* pool, apr_pool_t* pool_log, apr_pool_t* pool_temp, server_rec* s) {
	// Initialize global variables
	token_array_init(&g_allowed_tokens);
	token_array_init(&g_blocked_tokens);
	return APR_SUCCESS;
}

static int request_check_handler(request_rec* r) {
	// Provide exception for requests performed by Git
	if(check_user_agent_exception(r))
		return DECLINED;
	// Check if client already has the token
	const char* token;
	if(ap_cookie_read(r, TOKEN_COOKIE_NAME, &token, 0)!=APR_SUCCESS || !token) {
		handle_challenge(r);
		return OK;
	}

	// Check if client was blocked
	if(token_array_contains(&g_blocked_tokens, token)) {
		handle_blocked(r);
		return OK;
	}

	// Check if client is verified
	if(token_array_contains(&g_allowed_tokens, token))
		return DECLINED;

	// If client is not blocked and not verified then perhaps they are trying to verify
	if(strcmp(r->uri, "/fail")==0) {
		token_array_push(&g_allowed_tokens, token);
		handle_verification(r);
		return OK;
	}
	if(strcmp(r->uri, "/success")==0) {
		token_array_push(&g_blocked_tokens, token);
		handle_blocked(r);
		return OK;
	}

	// If it's something else redirect to challenge page
	handle_challenge(r);
	return OK;
}

static void register_hooks(apr_pool_t* pool) {
	ap_hook_post_config(post_config_hook, NULL, NULL, APR_HOOK_FIRST);
	ap_hook_handler(request_check_handler, NULL, NULL, APR_HOOK_FIRST);
}

module AP_MODULE_DECLARE_DATA webgate_module = {
	STANDARD20_MODULE_STUFF,
	NULL,
	NULL,
	NULL,
	NULL,
	NULL,
	register_hooks
};