source: branches/stable/cgi-bin/search.cgi

#!/usr/bin/perl
# ipdb/cgi-bin/search.cgi
# Started splitting search functions (quick and otherwise) from
# main IPDB interface 03/11/2005
###
# SVN revision info
# $Date: 2014-07-04 17:18:11 +0000 (Fri, 04 Jul 2014) $
# SVN revision $Rev: 621 $
# Last update by $Author: kdeugau $
###
# Copyright (C) 2005-2013 Kris Deugau <kdeugau@deepnet.cx>

use strict;             
use warnings;   
use CGI::Carp qw(fatalsToBrowser);
use CGI::Simple;
use HTML::Template;
use DBI;
use POSIX qw(ceil);
use NetAddr::IP;

# don't remove!  required for GNU/FHS-ish install from tarball
##uselib##

use MyIPDB;

# Don't formally need a username or syslog here.  syslog left active for debugging.
use Sys::Syslog;
openlog "IPDBsearch","pid","$IPDB::syslog_facility";

# ... but we do *use* the username on ACLs now.
# Collect the username from HTTP auth.  If undefined, we're in
# a test environment, or called without a username.
my $authuser;
if (!defined($ENV{'REMOTE_USER'})) {
  $authuser = '__temptest';
} else {
  $authuser = $ENV{'REMOTE_USER'};
}

# Global variables
my $RESULTS_PER_PAGE = 25;

# anyone got a better name?  :P
my $thingroot = $ENV{SCRIPT_FILENAME};
$thingroot =~ s|cgi-bin/search.cgi||;

# Set up the CGI object...
my $q = new CGI::Simple;
# ... and get query-string params as well as POST params if necessary
$q->parse_query_string;

# Convenience;  saves changing all references to %webvar
##fixme:  tweak for handling <select multiple='y' size=3> (list with multiple selection)
my %webvar = $q->Vars;

if (defined($webvar{rpp})) {
  ($RESULTS_PER_PAGE) = ($webvar{rpp} =~ /(\d+)/);
}

# Why not a global DB handle?  (And a global statement handle, as well...)
# Use the connectDB function, otherwise we end up confusing ourselves
my $ip_dbh;
my $sth;
my $errstr;
($ip_dbh,$errstr) = connectDB_My;
if ($ip_dbh) {
  checkDBSanity($ip_dbh);
  initIPDBGlobals($ip_dbh);
}

# Set up some globals
$ENV{HTML_TEMPLATE_ROOT} = $thingroot."templates";

my $page;
if (!defined($webvar{stype})) {
  $webvar{stype} = "<NULL>";   #shuts up the warnings.
  $page = HTML::Template->new(filename => "search/compsearch.tmpl",
        global_vars => 1);
} else {
  $page = HTML::Template->new(filename => "search/sresults.tmpl",
        global_vars => 1);
}
$page->param(webpath => $IPDB::webpath);

my $header = HTML::Template->new(filename => "header.tmpl");
$header->param(version => $IPDB::VERSION);
$header->param(addperm => $IPDBacl{$authuser} =~ /a/);
$header->param(webpath => $IPDB::webpath);
print "Content-type: text/html\n\n", $header->output;

# Handle the DB error first
if (!$ip_dbh) {
  $page = HTML::Template->new(filename => "dberr.tmpl");
  $page->param(errmsg => $errstr);
} elsif ($webvar{stype} eq 'q') {
  # Quick search.

  if (!$webvar{input}) {
    # No search term.  Display everything.
    viewBy('all', '');
  } else {
    # Search term entered.  Display matches.
    # We should really sanitize $webvar{input}, no?
    my $searchfor;
    # Chew up leading and trailing whitespace
    $webvar{input} =~ s/^\s+//;
    $webvar{input} =~ s/\s+$//;
    if ($webvar{input} =~ /^\d+$/) {
      # All-digits, new custID
      $searchfor = "cust";
    } elsif ($webvar{input} =~ /^[\d\.]+(\/\d{1,3})?$/) {
      # IP addresses should only have numbers, digits, and maybe a slash+netmask
      $searchfor = "ipblock";
    } else {
      # Anything else.
      $searchfor = "desc";
    }
    viewBy($searchfor, $webvar{input});
  }

} elsif ($webvar{stype} eq 'c') {
  # Complex search.

  # Several major cases, and a whole raft of individual cases.
  # -> Show all types means we do not need to limit records retrieved by type
  # -> Show all cities means we do not need to limit records retrieved by city
  # Individual cases are for the CIDR/IP, CustID, Description, Notes, and individual type
  # requests.

  my $sqlconcat;
  if ($webvar{which} eq 'all') {
    # Must match *all* specified criteria.      ## use INTERSECT or EXCEPT
    $sqlconcat = "INTERSECT";
  } elsif ($webvar{which} eq 'any') {
    # Match on any specified criteria           ## use UNION
    $sqlconcat = "UNION";
  } else {
    # sum-buddy tryn'a game the system.  Match "all"
    $sqlconcat = "INTERSECT";
  }

# We actually construct a monster SQL statement for all criteria.
# Iff something has been entered, it will be used as a filter.
# Iff something has NOT been entered, we still include it but in
# such a way that it does not actually filter anything out.

  # Columns actually returned.  Slightly better than hardcoding it
  # in each (sub)select
  my $cols = "cidr,custid,type,city,description,vrf,available";

  # hack fix for undefined variables
  $webvar{custid} = '' if !$webvar{custid};
  $webvar{desc}   = '' if !$webvar{desc};
  $webvar{notes}  = '' if !$webvar{notes};
  $webvar{custexclude}  = '' if !$webvar{custexclude};
  $webvar{descexclude}  = '' if !$webvar{descexclude};
  $webvar{notesexclude} = '' if !$webvar{notesexclude};

  # First chunk of SQL.  Filter on custid, description, and notes as necessary.
  my $sql = qq(SELECT $cols FROM searchme\n);
  $sql .= " WHERE $webvar{custexclude} (custid ~ '$webvar{custid}')\n";
  $sql .= " $sqlconcat (select $cols from searchme where $webvar{descexclude} description ~ '$webvar{desc}')\n";
  $sql .= " $sqlconcat (select $cols from searchme where $webvar{notesexclude} notes ~ '$webvar{notes}')";

  # If we're not supposed to search for all types, search for the selected types.
  $webvar{alltypes} = '' if !$webvar{alltypes};
  $webvar{typeexclude} = '' if !$webvar{typeexclude};
  if ($webvar{alltypes} ne 'on') {
    $sql .= " $sqlconcat (select $cols from searchme where $webvar{typeexclude} type in (";
    foreach my $key (keys %webvar) {
      $sql .= "'$1'," if $key =~ /type\[(..)\]/;
    }
    chop $sql;
    $sql .= "))";
  }

  # If we're not supposed to search for all cities, search for the selected cities.
  # This could be vastly improved with proper foreign keys in the database.
  $webvar{allcities} = '' if !$webvar{allcities};
  $webvar{cityexclude} = '' if !$webvar{cityexclude};
  if ($webvar{allcities} ne 'on') {
    $sql .= " $sqlconcat (select $cols from searchme where $webvar{cityexclude} city in (";
    $sth = $ip_dbh->prepare("select city from cities where id=?");
    foreach my $key (keys %webvar) {
      if ($key =~ /city\[(\d+)\]/) {
        $sth->execute($1);
        my $city;
        $sth->bind_columns(\$city);
        $sth->fetch;
        $city =~ s/'/''/;
        $sql .= "'$city',";
      }
    }
    chop $sql;
    $sql .= "))";
  }

  ## CIDR query options.
  $webvar{cidr} =~ s/\s+//;     # Hates the nasty spaceseseses we does.
  if ($webvar{cidr} eq '') { # We has a blank CIDR.  Ignore it.
  } elsif ($webvar{cidr} =~ /\//) {
    # 192.168.179/26 should show all /26 subnets in 192.168.179
    my ($net,$maskbits) = split /\//, $webvar{cidr};
    if ($webvar{cidr} =~ /^(\d{1,3}\.){3}\d{1,3}\/\d{2}$/) {
      # /0->/9 are silly to worry about right now.  I don't think
      # we'll be getting a class A anytime soon.  <g>
      $sql .= " $sqlconcat (select $cols from searchme where ".
        "$webvar{cidrexclude} cidr<<='$webvar{cidr}')";
    } else {
      # Partial match;  beginning of subnet and maskbits are provided
      # Show any blocks with the leading octet(s) and that masklength
      # Need some more magic for bare /nn searches:
      my $condition = ($net eq '' ?
        "masklen(cidr)=$maskbits" : "text(cidr) like '$net%' and masklen(cidr)=$maskbits");
      $sql .= " $sqlconcat (select $cols from searchme where $webvar{cidrexclude} ".
        "($condition))";
    }
  } elsif ($webvar{cidr} =~ /^(\d{1,3}\.){3}\d{1,3}$/) {
    # Specific IP address match.  Will show either a single netblock,
    # or a static pool plus an IP.
    $sql .= " $sqlconcat (select $cols from searchme where $webvar{cidrexclude} ".
        "cidr >>= '$webvar{cidr}')";
  } elsif ($webvar{cidr} =~ /^\d{1,3}(\.(\d{1,3}(\.(\d{1,3}\.?)?)?)?)?$/) {
    # Leading octets in CIDR
    $sql .= " $sqlconcat (select $cols from searchme where $webvar{cidrexclude} ".
        "text(cidr) like '$webvar{cidr}%')";
  } else {
    # do nothing.
    ##fixme  we'll ignore this to clear out the references to legacy code.
  } # done with CIDR query options.

  # Find the offset for multipage results
  my $offset = ($webvar{page}-1)*$RESULTS_PER_PAGE;

  # Find out how many rows the "core" query will return.
  my $count = countRows($sql);

  if ($count == 0) {
    $page->param(errmsg => "No matches found.  Try eliminating one of the criteria,".
        " or making one or more criteria more general.");
  } else {
    # Add the limit/offset clauses
    $sql .= " order by cidr";
    $sql .= " limit $RESULTS_PER_PAGE offset $offset" if $RESULTS_PER_PAGE != 0;
    # And tell the user.
    print "<div class=heading>Searching...............</div>\n";
    queryResults($sql, $webvar{page}, $count);
  }

} elsif ($webvar{stype} eq 'n') {
  # Node search.

  my $sql = "SELECT cidr,custid,type,city,description FROM searchme".
        " WHERE cidr IN (SELECT block FROM noderef WHERE node_id=$webvar{node})";

  # Find the offset for multipage results
  my $offset = ($webvar{page}-1)*$RESULTS_PER_PAGE;

  # Find out how many rows the "core" query will return.
  my $count = countRows($sql);

  if ($count == 0) {
    $page->param(errmsg => "No customers currently listed as connected through this node.");
##fixme:  still get the results table header
  } else {
    # Add the limit/offset clauses
    $sql .= " order by cidr";
    $sql .= " limit $RESULTS_PER_PAGE offset $offset" if $RESULTS_PER_PAGE != 0;
    # And tell the user.
    print "<div class=heading>Searching...............</div>\n";
    queryResults($sql, $webvar{page}, $count);
  }

} else { # how script was called.  General case is to show the search criteria page.

# Generate table of types
  $sth = $ip_dbh->prepare("select type,dispname from alloctypes where listorder <500 ".
        "order by listorder");
  $sth->execute;
  my $i=0;
  my @typelist;
  while (my ($type,$dispname) = $sth->fetchrow_array) {
    my %row = (
        newrow => ($i % 4 == 0),
        type => $type,
        dispname => $dispname,
        endrow => ($i++ % 4 == 3)
        );
    push @typelist, \%row;
  }
  $page->param(typelist => \@typelist);

# Generate table of cities
  $sth = $ip_dbh->prepare("select id,city from cities order by city");
  $sth->execute;
  $i=0;
  my @citylist;
  while (my ($id, $city) = $sth->fetchrow_array) {
    my %row = (
        newrow => ($i % 4 == 0),
        id => $id,
        city => $city,
        endrow => ($i++ % 4 == 3)
        );      
    push @citylist, \%row;
  }
  $page->param(citylist => \@citylist);

}

print $page->output;

# Shut down and clean up.
finish($ip_dbh);

# We print the footer here, so we don't have to do it elsewhere.
my $footer = HTML::Template->new(filename => "footer.tmpl");
# include the admin tools link in the output?
$footer->param(adminlink => ($IPDBacl{$authuser} =~ /A/));
$footer->param(webpath => $IPDB::webpath);

print $footer->output;

# We shouldn't need to directly execute any code below here;  it's all subroutines.
exit 0;


# viewBy()
# The quick search
# Takes a category descriptor and a query string
# Creates appropriate SQL to run the search and display the results
# with queryResults()
sub viewBy {
  my ($category,$query) = @_;

  # Local variables
  my $sql;

  # Calculate start point for LIMIT clause
  my $offset = ($webvar{page}-1)*$RESULTS_PER_PAGE;

# Possible cases:
# 1) Partial IP/subnet.  Treated as "octet-prefix".
# 2a) CIDR subnet.  Exact match.
# 2b) CIDR netmask.  YMMV but it should be octet-prefix-with-netmask
#       (ie, all matches with the octet prefix *AND* that netmask)
# 3) Customer ID.  "Match-any-segment"
# 4) Description.  "Match-any-segment"
# 5) Invalid data which might be interpretable as an IP or something, but
#    which probably shouldn't be for reasons of sanity.

  my $cols = "cidr,custid,type,city,description,vrf,available";

  if ($category eq 'all') {

    $sql = "select $cols from searchme";
    my $count = countRows($sql);
    $sql .= " order by cidr limit $RESULTS_PER_PAGE offset $offset";
    queryResults($sql, $webvar{page}, $count);

  } elsif ($category eq 'cust' || $category eq 'desc') {

##fixme:  this and other quick-search areas;  fix up page heading title similar to first grouping above
    print qq(<div class="heading">Searching for Customer IDs or Descriptions containing '$query'</div><br>\n);

# head off the worst of SQL injection.  search really needs a big rewrite...
$query =~ s/'/''/g;
    # Query for a customer ID.  Note that we can't restrict to "numeric-only"
    # as we have non-numeric custIDs in the legacy data.  :/
    $sql = "select $cols from searchme where custid ilike '%$query%'".
        " or description ilike '%$query%' or vrf ilike '%$query%'";
    my $count = countRows($sql);
    $sql .= " order by cidr limit $RESULTS_PER_PAGE offset $offset";
    queryResults($sql, $webvar{page}, $count);

  } elsif ($category =~ /ipblock/) {

    # Query is for a partial IP, a CIDR block in some form, or a flat IP.
    print qq(<div class="heading">Searching for IP-based matches on '$query'</div><br>\n);

    $query =~ s/\s+//g;
    if ($query =~ /\//) {
      # 192.168.179/26 should show all /26 subnets in 192.168.179
      my ($net,$maskbits) = split /\//, $query;
      if ($query =~ /^(\d{1,3}\.){3}\d{1,3}\/\d{2}$/) {
        # /0->/9 are silly to worry about right now.  I don't think
        # we'll be getting a class A anytime soon.  <g>
        $sql = "select $cols from searchme where cidr='$query'";
        queryResults($sql, $webvar{page}, 1);
      } else {
        #print "Finding all blocks with netmask /$maskbits, leading octet(s) $net<br>\n";
        # Partial match;  beginning of subnet and maskbits are provided
        $sql = "select $cols from searchme where text(cidr) like '$net%' and ".
                "text(cidr) like '%$maskbits'";
        my $count = countRows($sql);
        $sql .= " order by cidr limit $RESULTS_PER_PAGE offset $offset";
        queryResults($sql, $webvar{page}, $count);
      }
    } elsif ($query =~ /^(\d{1,3}\.){3}\d{1,3}$/) {
      # Specific IP address match
      #print "4-octet pattern found;  finding netblock containing IP $query<br>\n";
      my ($net,$ip) = ($query =~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})/);
      my $sfor = new NetAddr::IP $query;
      $sth = $ip_dbh->prepare("select $cols from searchme where text(cidr) like '$net%'");
      $sth->execute;
      while (my @data = $sth->fetchrow_array()) {
        my $cidr = new NetAddr::IP $data[0];
        if ($cidr->contains($sfor)) {
          queryResults("select $cols from searchme where cidr='$cidr'", $webvar{page}, 1);
        }
      }
    } elsif ($query =~ /^(\d{1,3}\.){1,3}\d{1,3}\.?$/) {
      #print "Finding matches with leading octet(s) $query<br>\n";
      $sql = "select $cols from searchme where text(cidr) like '$query%'";
      my $count = countRows($sql);
      $sql .= " order by cidr limit $RESULTS_PER_PAGE offset $offset";
      queryResults($sql, $webvar{page}, $count);
    } else {
      # This shouldn't happen, but if it does, whoever gets it deserves what they get...
      $page->param(errmsg => "Invalid query.");
    }
  } else {
    # This shouldn't happen, but if it does, whoever gets it deserves what they get...
    $page->param(errmsg => "Invalid searchfor.");
  }
} # viewBy


# args are: a reference to an array with the row to be printed and the 
# class(stylesheet) to use for formatting.
# if ommitting the class - call the sub as &printRow(\@array)
sub printRow {
  my ($rowRef,$class) = @_;

  if (!$class) {
    print "<tr>\n";
  } else {
    print "<tr class=\"$class\">\n";
  }

ELEMENT:  foreach my $element (@$rowRef) {
    if (!defined($element)) {
      print "<td></td>\n";
      next ELEMENT;
    }
    $element =~ s|\n|</br>|g;
    print "<td>$element</td>\n";
  }
  print "</tr>";
} # printRow


# queryResults()
# Display search queries based on the passed SQL.
# Takes SQL, page number (for multipage search results), and a total count.
sub queryResults {
  my ($sql, $pageNo, $rowCount) = @_;
  my $offset = 0;
  $offset = $1 if($sql =~ m/.*limit\s+(.*),.*/);

  my $sth = $ip_dbh->prepare($sql);
  $sth->execute();

  $page->param(searchtitle => "Showing all netblock and static-IP allocations");

  my $count = 0;
  my @sresults;
  while (my ($block, $custid, $type, $city, $desc, $vrf, $avail) = $sth->fetchrow_array) {
    my %row = (
        rowclass => $count++ % 2,
        issub => ($type =~ /^.r$/ ? 1 : 0),
        block => $block,
        ispool => ($type =~ /^.[pd]$/ ? 1 : 0),
        custid => $custid,
        disptype => $disp_alloctypes{$type},
        city => $city,
        desc => $desc,
        vrf => $vrf,
        avail => ($avail eq 'y' ? 1 : 0),
        );
    push @sresults, \%row;
  }
  $page->param(sresults => \@sresults);

  # Have to think on this call, it's primarily to clean up unfetched rows from a select.
  # In this context it's probably a good idea.
  $sth->finish();

  my $upper = $offset+$count;

  $page->param(resfound => $rowCount);
  $page->param(resstart => $offset+1);
  $page->param(resstop => $upper);

  # print the page thing..
  if ($RESULTS_PER_PAGE > 0 && $rowCount > $RESULTS_PER_PAGE) {
    $page->param(multipage => 1);
    my $pages = ceil($rowCount/$RESULTS_PER_PAGE);
    my @pagelist;
    for (my $i = 1; $i <= $pages; $i++) {
      my %row;
      $row{pgnum} = $i;
      if ($i == $pageNo) {
        $row{thispage} = 1;
      } else {
        $row{stype} = $webvar{stype};
        if ($webvar{stype} eq 'c') {
          $row{extraopts} = "cidr=$webvar{cidr}&custid=$webvar{custid}&desc=$webvar{desc}&".
                "notes=$webvar{notes}&which=$webvar{which}&alltypes=$webvar{alltypes}&".
                "allcities=$webvar{allcities}&";
          foreach my $key (keys %webvar) {
            if ($key =~ /^(?:type|city)\[/ || $key =~ /exclude$/) {
              $row{extraopts} .= "$key=$webvar{$key}&";
            }
          }
        } else {
          $row{extraopts} = "input=$webvar{input}&";
        }
      }
      push @pagelist, \%row;
    }
    $page->param(pgnums => \@pagelist);
  }

} # queryResults


# Prints table headings.  Accepts any number of arguments;
# each argument is a table heading.
sub startTable {
  print qq(<center><table width="98%" cellspacing="0" class="center"><tr>);

  foreach(@_) {
    print qq(<td class="heading">$_</td>);
  }
  print "</tr>\n";
} # startTable


# Return count of rows to be returned in a "real" query
# with the passed SQL statement
sub countRows {
  # Note that the "as foo" is required
  my $sth = $ip_dbh->prepare("select count(*) from ($_[0]) as foo");
  $sth->execute();
  my @a = $sth->fetchrow_array();
  $sth->finish();
  return $a[0];
}