|
@@ -200,7 +200,7 @@ func (server *Server) checkBans(config *Config, ipaddr net.IP, checkScripts bool
|
200
|
200
|
server.logger.Warning("internal", "unexpected ban result", err.Error())
|
201
|
201
|
}
|
202
|
202
|
|
203
|
|
- if checkScripts && config.Server.IPCheckScript.Enabled {
|
|
203
|
+ if checkScripts && config.Server.IPCheckScript.Enabled && !config.Server.IPCheckScript.ExemptSASL {
|
204
|
204
|
output, err := CheckIPBan(server.semaphores.IPCheckScript, config.Server.IPCheckScript, ipaddr)
|
205
|
205
|
if err != nil {
|
206
|
206
|
server.logger.Error("internal", "couldn't check IP ban script", ipaddr.String(), err.Error())
|
|
@@ -267,9 +267,26 @@ func (server *Server) handleAlwaysOnExpirations() {
|
267
|
267
|
}
|
268
|
268
|
}
|
269
|
269
|
|
270
|
|
-//
|
271
|
|
-// server functionality
|
272
|
|
-//
|
|
270
|
+// handles server.ip-check-script.exempt-sasl:
|
|
271
|
+// run the ip check script at the end of the handshake, only for anonymous connections
|
|
272
|
+func (server *Server) checkBanScriptExemptSASL(config *Config, session *Session) (outcome AuthOutcome) {
|
|
273
|
+ // TODO add caching for this; see related code in (*server).checkBans;
|
|
274
|
+ // we should probably just put an LRU around this instead of using the DLINE system
|
|
275
|
+ ipaddr := session.IP()
|
|
276
|
+ output, err := CheckIPBan(server.semaphores.IPCheckScript, config.Server.IPCheckScript, ipaddr)
|
|
277
|
+ if err != nil {
|
|
278
|
+ server.logger.Error("internal", "couldn't check IP ban script", ipaddr.String(), err.Error())
|
|
279
|
+ return authSuccess
|
|
280
|
+ }
|
|
281
|
+ if output.Result == IPBanned || output.Result == IPRequireSASL {
|
|
282
|
+ server.logger.Info("connect-ip", "Rejecting unauthenticated client due to ip-check-script", ipaddr.String())
|
|
283
|
+ if output.BanMessage != "" {
|
|
284
|
+ session.client.requireSASLMessage = output.BanMessage
|
|
285
|
+ }
|
|
286
|
+ return authFailSaslRequired
|
|
287
|
+ }
|
|
288
|
+ return authSuccess
|
|
289
|
+}
|
273
|
290
|
|
274
|
291
|
func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
|
275
|
292
|
// XXX PROXY or WEBIRC MUST be sent as the first line of the session;
|
|
@@ -294,6 +311,10 @@ func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
|
294
|
311
|
// before completing the other registration commands
|
295
|
312
|
config := server.Config()
|
296
|
313
|
authOutcome := c.isAuthorized(server, config, session, c.requireSASL)
|
|
314
|
+ if authOutcome == authSuccess && c.account == "" &&
|
|
315
|
+ config.Server.IPCheckScript.Enabled && config.Server.IPCheckScript.ExemptSASL {
|
|
316
|
+ authOutcome = server.checkBanScriptExemptSASL(config, session)
|
|
317
|
+ }
|
297
|
318
|
var quitMessage string
|
298
|
319
|
switch authOutcome {
|
299
|
320
|
case authFailPass:
|