#!/bin/bash
# up

# remove non-printable chars first...
tr -dc '[[:print:]]' <<< "$username"
# then do more input validation on the supplied token...
if grep -P '^[\-a-zA-Z0-9]+$' <<<$username; then
 # token contains only allowed chars, good
 if [[ "${#username}" == 128 ]]; then
  # token is the length of a sha512 hash, good
  hash=$username
 fi
 if [[ "${#username}" == 127 ]]; then
  # fix needed for routers that chop off the last char
  hash=$username
 fi
 if [[ "${#username}" == 126 ]]; then
  # same thing as above
  hash=$username
 fi
 if [[ "${#username}" == 23 ]]; then
  # token is 23 chars long, someone forgot to hash their token,
  # so do it for them, then continue
  hash=`echo -n $username|openssl sha -sha512|awk '{print $NF}'`
 fi
 if [ "$hash" == "" ]; then
  # $hash is empty, which means whatever was provided contained valid chars,
  # but wasn't the length of a token or a hash, so don't let them in
  exit 1
 fi
else
 # token contains invalid chars, possible screwup,
 # possible attempt to inject shell/db commands, so reject
 exit 1
fi
# check if the token is valid and not expired and only allow a new session if max sessions isn't reached
result=`timeout 8 wget -T8 -qO- https://[redacted]?token=$hash`
if [ $? != 0 ] || [ "$result" == "good" ]; then
 # increase session counter for token
 result=`timeout 8 wget -T8 -qO- "https://[redacted]?token=${hash}&action=up"`

 # figure out the instance name from $config, which contains the full path to the openvpn .conf,
 # then use the dir /tmp/[instance name]/pool/ as the dir to hold the files that respresent the
 # of IPs in the pool that are in use
 openvpn_dir=`echo $config|awk -F/ '{print "/tmp/"$3}'`
 instance_pool_dir=`echo $openvpn_dir`/pool
 instance=`echo $openvpn_dir|awk -F/ '{print $3}'`
 POOL=`grep ^server $config|awk '{print $2}'|awk -F. '{print $1"."$2}'`

 # create /tmp/[instance name]/pool/ if it's not already there
 if [ ! -d $instance_pool_dir ]; then
  mkdir -p $instance_pool_dir
 fi

 # randomly grab an unused IP from the internal 10.whatever subnet specific to that instance,
 # since otherwise it would happen sequentially, which makes the user count guessable,
 # which could be useful in a correlation attack.
 found_one=0
 while [ "$found_one" -eq "0" ]; do
  # randomly generate the last 2 octets, in the range of 3-254 for each.
  RANDIP=$POOL.`echo $[ 3 + $[ RANDOM % 254 ]]`.`echo $[ 3 + $[ RANDOM % 254 ]]`
  # not taken yet?
  if [ ! -r $instance_pool_dir/$RANDIP ]; then
   # take it
   touch $instance_pool_dir/$RANDIP
   # write out the ifconfig line to $1 which is picked up by openvpn
   echo "ifconfig-push $RANDIP 255.255.0.0" > $1
   found_one=1
  fi
 done

 # if Windows then
 if [[ $IV_PLAT == "win" ]]; then
  # do Windows-only things
  echo 'push "redirect-gateway bypass-dhcp"' >> $1
  echo 'push "register-dns"' >> $1
  # if client's OpenVPN is 2.3.x then
  if [[ $IV_VER =~ ^2\.3.* ]]; then
   # check to make sure it's > 2.3.8
   # since block-outside-dns isn't supported in <= 2.3.8
   test_ver=`echo $IV_VER|awk -F. '{print $NF}'`
   if [ $test_ver -gt 8 ]; then
    # they've got openvpn => 2.3.9, so send block-outside-dns
    echo 'push "block-outside-dns"' >> $1
   fi
  else
   # they've got openvpn 2.4.x, so send block-outside-dns
   # (no need to check for openvpn 2.2.x since you can't connect
   # with such an old version)
   echo 'push "block-outside-dns"' >> $1
  fi
 fi

 # found a random IP and pushed it to the client, so exit happily!
 # (or something went horribly wrong, still exit 0 so the client can get in anyways)
 exit 0
else
 exit 1
fi