added config access modes

2017-08-16 14:00:51 +02:00 · 2017-08-16 14:00:51 +02:00 · 3117ba6b53
commit 3117ba6b53
--- a/README.md
+++ b/README.md
@ -55,6 +55,7 @@ Advanced commands (most of the set-commands are effective only after save and re
 - set ap_open [0|1]: selects, whether the soft-AP uses WPA2 security (ap_open=0,  automatic, if an ap_password is set) or open (ap_open=1)
 - set speed [80|160]: sets the CPU clock frequency (default 80 Mhz)
 - set config_port _portno_: sets the port number of the console login (default is 7777, 0 disables remote console config)
+- set config_access _mode_: controls the networks that allow config access (0: no access, 1: only internal, 2: only external, 3: both (default))
 - script [_portno_|delete]: opens port for upload of scripts or deletes the current script

 While the user interface looks similar to my esp_wifi_repeater at https://github.com/martin-ger/esp_wifi_repeater this does NO NAT routing. AP and STA network are stricly separated and there is no routing in between. The only possible connection via both networks is the uMQTT broker that listens on both interfaces.
@ -305,4 +306,4 @@ typedef bool (*MqttAuthCallback)(const char* username, const char *password);
 void MQTT_server_onAuth(MqttAuthCallback authCb);
 ```

-If an *MqttAuthCallback* function is provided, it is called on each connect request. Based on username and password the function has to return *true* for authenticated or *false* for rejected. No provided username/password are empty strings. If no *MqttAuthCallback* function is set, each request will be admitted.
+If an *MqttAuthCallback* function is provided, it is called on each connect request. Based on username and password the function has to return *true* for authenticated or *false* for rejected. If a request provides no username and or password the strings are empty. If no *MqttAuthCallback* function is set, each request will be admitted.
--- a/firmware/0x00000.bin
+++ b/firmware/0x00000.bin
--- a/firmware/0x10000.bin
+++ b/firmware/0x10000.bin
--- a/user/config_flash.c
+++ b/user/config_flash.c
@ -33,6 +33,7 @@ void config_load_default(sysconfig_p config) {

    config->clock_speed = 80;
    config->config_port = CONSOLE_SERVER_PORT;
+    config->config_access = LOCAL_ACCESS | REMOTE_ACCESS;

    os_sprintf(config->mqtt_broker_user, "%s", "none");
    config->mqtt_broker_password[0] = 0;
--- a/user/config_flash.h
+++ b/user/config_flash.h
@ -45,6 +45,7 @@ typedef struct

    uint16_t	clock_speed;	// Freq of the CPU
    uint16_t	config_port;	// Port on which the concole listenes (0 if no access)
+    uint8_t	config_access;	// Controls the interfaces that allow config access (default LOCAL_ACCESS | REMOTE_ACCESS)

    uint8_t     mqtt_broker_user[32];	// Username for client login, "none" if empty
    uint8_t     mqtt_broker_password[32]; // Password for client login
--- a/user/lang.c
+++ b/user/lang.c
@ -596,14 +596,14 @@ int ICACHE_FLASH_ATTR parse_action(int next_token, bool doit) {
 	    if (is_token(next_token + 1, "remote")) {
 		if (doit && mqtt_connected) {
 		    retval = MQTT_Subscribe(&mqttClient, my_token[next_token + 2], 0);
-		    lang_info("subsrcibe remote %s %s\r\n", my_token[next_token + 2], retval ? "success" : "failed");
+		    lang_info("subscribe remote %s %s\r\n", my_token[next_token + 2], retval ? "success" : "failed");
 		}
 	    } else 
 #endif
 	    if (is_token(next_token + 1, "local")) {
 		if (doit) {
 		    retval = MQTT_local_subscribe(my_token[next_token + 2], 0);
-		    lang_info("subsrcibe local %s %s\r\n", my_token[next_token + 2], retval ? "success" : "failed");
+		    lang_info("subscribe local %s %s\r\n", my_token[next_token + 2], retval ? "success" : "failed");
 		}
 	    } else {
 		return syntax_error(next_token + 1, "'local' or 'remote' expected");
--- a/user/user_config.h
+++ b/user/user_config.h
@ -3,6 +3,9 @@

 typedef enum {SIG_DO_NOTHING=0, SIG_START_SERVER=1, SIG_UART0, SIG_TOPIC_RECEIVED, SIG_SCRIPT_LOADED, SIG_CONSOLE_TX_RAW, SIG_CONSOLE_TX, SIG_CONSOLE_RX} USER_SIGNALS;

+#define LOCAL_ACCESS 0x01
+#define REMOTE_ACCESS 0x02
+
 #define WIFI_SSID            "ssid"
 #define WIFI_PASSWORD        "password"

--- a/user/user_main.c
+++ b/user/user_main.c
@ -67,6 +67,23 @@ void ICACHE_FLASH_ATTR to_console(char *str) {
    ringbuf_memcpy_into(console_tx_buffer, str, os_strlen(str));
 }

+bool ICACHE_FLASH_ATTR check_connection_access(struct espconn *pesp_conn, uint8_t access_flags) {
+    remot_info *premot = NULL;
+    ip_addr_t *remote_addr;
+    bool is_local;
+
+    remote_addr = (ip_addr_t *)&(pesp_conn->proto.tcp->remote_ip);
+    //os_printf("Remote addr is %d.%d.%d.%d\r\n", IP2STR(remote_addr));
+    is_local = (remote_addr->addr & 0x00ffffff) == (config.network_addr.addr & 0x00ffffff);
+
+    if (is_local && (access_flags & LOCAL_ACCESS))
+	return true;
+    if (!is_local && (access_flags & REMOTE_ACCESS))
+	return true;
+
+    return false;
+}
+
 #ifdef MQTT_CLIENT

 MQTT_Client mqttClient;
@ -397,6 +414,15 @@ void ICACHE_FLASH_ATTR console_handle_command(struct espconn *pespconn) {
 	    os_sprintf(response, config.dns_addr.addr ? "DNS: %d.%d.%d.%d\r\n" : "", IP2STR(&config.dns_addr));
 	    to_console(response);

+#ifdef REMOTE_CONFIG
+	    if (config.config_port == 0 || config.config_access == 0) {
+		os_sprintf(response, "No network console access\r\n");
+	    } else {
+		os_sprintf(response, "Network console access on port %d (mode %d)\r\n", config.config_port, config.config_access);
+	    }
+	    to_console(response);
+#endif
+
 	    if (os_strcmp(config.mqtt_broker_user, "none") != 0) {
 		os_sprintf(response,
 			   "MQTT broker username: %s password: %s\r\n",
@ -463,6 +489,11 @@ void ICACHE_FLASH_ATTR console_handle_command(struct espconn *pespconn) {
 	}

 	if (nTokens == 2 && strcmp(tokens[1], "mqtt") == 0) {
+	    if (config.locked) {
+		os_sprintf(response, INVALID_LOCKED);
+		goto command_handled;
+	    }
+
 	    MQTT_ClientCon *clientcon;
 	    int ccnt = 0;

@ -490,6 +521,11 @@ void ICACHE_FLASH_ATTR console_handle_command(struct espconn *pespconn) {
 	}
 #ifdef SCRIPTED
 	if (nTokens >= 2 && strcmp(tokens[1], "script") == 0) {
+	    if (config.locked) {
+		os_sprintf(response, INVALID_LOCKED);
+		goto command_handled;
+	    }
+
 	    uint32_t line_count, char_count, start_line = 1;
 	    if (nTokens == 3)
 		start_line = atoi(tokens[2]);
@ -826,6 +862,15 @@ void ICACHE_FLASH_ATTR console_handle_command(struct espconn *pespconn) {
 		    os_sprintf(response, "Config port set to %d\r\n", config.config_port);
 		goto command_handled;
 	    }
+
+	    if (strcmp(tokens[1], "config_access") == 0) {
+		config.config_access = atoi(tokens[2]) & (LOCAL_ACCESS | REMOTE_ACCESS);
+		if (config.config_access == 0)
+		    os_sprintf(response, "WARNING: if you save this, remote console access will be disabled!\r\n");
+		else
+		    os_sprintf(response, "Config access set\r\n", config.config_port);
+		goto command_handled;
+	    }
 #endif
 	    if (strcmp(tokens[1], "broker_user") == 0) {
 		os_strncpy(config.mqtt_broker_user, tokens[2], 32);
@ -969,6 +1014,12 @@ static void ICACHE_FLASH_ATTR tcp_client_connected_cb(void *arg) {

    os_printf("tcp_client_connected_cb(): Client connected\r\n");

+    if (!check_connection_access(pespconn, config.config_access)) {
+	os_printf("Client disconnected - no config access on this network\r\n");
+	espconn_disconnect(pespconn);
+	return;
+    }
+
    espconn_regist_sentcb(pespconn, tcp_client_sent_cb);
    espconn_regist_disconcb(pespconn, tcp_client_discon_cb);
    espconn_regist_recvcb(pespconn, tcp_client_recv_cb);