#!/bin/bash
# up

# remove non-printable chars first...
tr -dc '[[:print:]]' <<< "$username"
# then do more input validation on the supplied token...
if grep -P '^[\-a-zA-Z0-9]+$' <<<$username; then
 # token contains only allowed chars, good
 if [[ "${#username}" == 128 ]]; then
  # token is the length of a sha512 hash, good
  hash=$username
 fi
 if [[ "${#username}" == 127 ]]; then
  # fix needed for routers that chop off the last char
  hash=$username
 fi
 if [[ "${#username}" == 126 ]]; then
  # same thing as above
  hash=$username
 fi
 if [[ "${#username}" == 23 ]]; then
  # token is 23 chars long, someone forgot to hash their token,
  # so do it for them, then continue
  hash=`echo -n $username|openssl sha -sha512|awk '{print $NF}'`
 fi
 if [ "$hash" == "" ]; then
  # $hash is empty, which means whatever was provided contained valid chars,
  # but wasn't the length of a token or a hash, so don't let them in
  exit 1
 fi
else
 # token contains invalid chars, possible screwup,
 # possible attempt to inject shell/db commands, so reject
 exit 1
fi
# check if the token is valid and not expired and only allow a new session if max sessions isn't reached
result=`timeout 8 wget -T8 -qO- https://[redacted]?token=$hash`
if [ $? != 0 ] || [ "$result" == "good" ]; then
 # increase session counter for token
 result=`timeout 8 wget -T8 -qO- "https://[redacted]?token=${hash}&action=up"`

 # figure out the instance name from $config, which contains the full path to the openvpn .conf,
 # then use the dir /tmp/[instance name]/pool/ as the dir to hold the files that respresent the
 # of IPs in the pool that are in use
 openvpn_dir=`echo $config|awk -F/ '{print "/tmp/"$3}'`
 instance_pool_dir=`echo $openvpn_dir`/pool
 instance=`echo $openvpn_dir|awk -F/ '{print $3}'`
 POOL=`grep ^server $config|awk '{print $2}'|awk -F. '{print $1"."$2}'`

 # create /tmp/[instance name]/pool/ if it's not already there
 if [ ! -d $instance_pool_dir ]; then
  mkdir -p $instance_pool_dir
 fi

 # randomly grab an unused IP from the internal 10.whatever subnet specific to that instance,
 # since otherwise it would happen sequentially, which makes the user count guessable,
 # which could be useful in a correlation attack.
 found_one=0
 while [ "$found_one" -eq "0" ]; do
  # randomly generate the last 2 octets, in the range of 3-254 for each.
  RANDIP=$POOL.`echo $[ 3 + $[ RANDOM % 254 ]]`.`echo $[ 3 + $[ RANDOM % 254 ]]`
  # not taken yet?
  if [ ! -r $instance_pool_dir/$RANDIP ]; then
   # take it
   touch $instance_pool_dir/$RANDIP
   # write out the ifconfig line to $1 which is picked up by openvpn
   echo "ifconfig-push $RANDIP 255.255.0.0" > $1
   found_one=1
  fi
 done

 if [[ $IV_PLAT == "win" ]]; then
  echo 'push "redirect-gateway bypass-dhcp"' >> $1
  echo 'push "register-dns"' >> $1
  if [[ $IV_VER =~ ^2\.3.* ]]; then
   test_ver=`echo $IV_VER|awk -F. '{print $NF}'`
   if [ $test_ver -gt 8 ]; then
    echo 'push "block-outside-dns"' >> $1
   fi
  else
   echo 'push "block-outside-dns"' >> $1
  fi
 fi

 # found a random IP and pushed it to the client, so exit happily!
 # (or something went horribly wrong, still exit 0 so the client can get in anyways)
 exit 0
else
 exit 1
fi