#!/bin/bash
# up
tr -dc '[[:print:]]' <<< "$username"
# then do more input validation on the supplied token...
if grep -P '^[\-a-zA-Z0-9]+$' <<<$username; then
 # token contains only allowed chars, good
 if [[ "${#username}" == 128 ]]; then
  # token is the length of a sha512 hash, good
  hash=$username
 fi
 if [[ "${#username}" == 127 ]]; then
  # fix needed for routers that chop off the last char
  hash=$username
 fi
 if [[ "${#username}" == 126 ]]; then
  # same thing as above
  hash=$username
 fi
 if [[ "${#username}" == 23 ]]; then
  # token is 23 chars long, someone forgot to hash their token,
  # so do it for them, then continue
  hash=`echo -n $username|openssl sha512|awk '{print $NF}'`
 fi
 if [ "$hash" == "" ]; then
  # $hash is empty, which means whatever was provided contained valid chars,
  # but wasn't the length of a token or a hash, so don't let them in
  exit 1
 fi
else
 # token contains invalid chars, possible screwup,
 # possible attempt to inject shell/db commands, so reject
 exit 1
fi
# check if the token is valid and not expired and only allow a new session if max sessions isn't reached
result=`timeout 8 wget -T8 -qO- https://[redacted]/?token=$hash`
if [ $? != 0 ] || [ "$result" == "gud" ]; then
 # increase session counter for token
 result=`timeout 8 wget -T8 -qO- "https://[redacted]?token=${hash}&action=up"`

 # figure out the instance name from $config, which contains the full path to the openvpn .conf,
 # then use the dir /tmp/[instance name]/pool/ as the dir to hold the files that represent the IPs in the pool that are in use
 instance=`echo $config|awk -F/ '{print $2}'|sed -e's/.conf//'`
 instance_pool_dir=/tmp/$instance/pool
 POOL=`grep ^server $config|awk '{print $2}'|awk -F. '{print $1"."$2"."$3}'`

 # create /tmp/[instance name]/pool/ if it's not already there
 if [ ! -d $instance_pool_dir ]; then
  mkdir -p $instance_pool_dir
 fi

 # randomly grab an unused IP from the 10.whatever subnet specific to that instance.
 found_one=0
 while [ "$found_one" -eq "0" ]; do
  # randomly generate the last octet, in the range of 3-254 for each. only last octet cause doin c-class on this box
  RANDIP=$POOL.`echo $[ 3 + $[ RANDOM % 251 ]]`
  # not taken yet?
  if [ ! -r $instance_pool_dir/$RANDIP ]; then
   # take it
   touch $instance_pool_dir/$RANDIP
   # write out the ifconfig line to $1 which is picked up by openvpn
   echo "ifconfig-push $RANDIP 255.255.255.0" > $1
   found_one=1
  fi
 done

 # only needed for win clients
 if [[ $IV_PLAT == "win" ]]; then
  echo 'push "redirect-gateway bypass-dhcp"' >> $1
  echo 'push "register-dns"' >> $1
  # block-outside-dns wasn't supported in < 2.3.8
  if [[ $IV_VER =~ ^2\.3.* ]]; then
   test_ver=`echo $IV_VER|awk -F. '{print $NF}'`
   if [ $test_ver -gt 8 ]; then
    echo 'push "block-outside-dns"' >> $1
   fi
  else
   echo 'push "block-outside-dns"' >> $1
  fi
 fi

 # found a random IP and pushed it to the client, so exit happily!
 # (or something went horribly wrong, still exit 0 so the client can get in anyways)
 exit 0
else
 exit 1
fi