mirror
/
oragono
spegling av https://github.com/oragono/oragono
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Släpp 67 Wiki Aktiviteter
Bläddra i källkod

add ip-check-script.exempt-sasl

tags/v2.9.0-rc1
Shivaram Lingamneni 2 år sedan
förälder
58d8421f44
incheckning
0a59f41cf9
5 ändrade filer med 43 tillägg och 11 borttagningar
Unifierad Vy Visa Diff Statistik
  1. 3
    0
      default.yaml
  2. 1
    1
      irc/authscript.go
  3. 11
    6
      irc/config.go
  4. 25
    4
      irc/server.go
  5. 3
    0
      traditional.yaml

+ 3
- 0
default.yaml Visa fil

300 
         kill-timeout: 1s
 300 
         kill-timeout: 1s
301 
         # how many scripts are allowed to run at once? 0 for no limit:
 301 
         # how many scripts are allowed to run at once? 0 for no limit:
302 
         max-concurrency: 64
 302 
         max-concurrency: 64
303 
+        # if true, only check anonymous connections (not logged into an account)
304 
+        # at the very end of the handshake:
305 
+        exempt-sasl: false
303
306
304 
     # IP cloaking hides users' IP addresses from other users and from channel admins
 307 
     # IP cloaking hides users' IP addresses from other users and from channel admins
305 
     # (but not from server admins), while still allowing channel admins to ban
 308 
     # (but not from server admins), while still allowing channel admins to ban

+ 1
- 1
irc/authscript.go Visa fil

84 
 	Error        string `json:"error"`
 84 
 	Error        string `json:"error"`
85 
 }
 85 
 }
86
86
87 
-func CheckIPBan(sem utils.Semaphore, config ScriptConfig, addr net.IP) (output IPScriptOutput, err error) {
87 
+func CheckIPBan(sem utils.Semaphore, config IPCheckScriptConfig, addr net.IP) (output IPScriptOutput, err error) {
88 
 	if sem != nil {
 88 
 	if sem != nil {
89 
 		sem.Acquire()
 89 
 		sem.Acquire()
90 
 		defer sem.Release()
 90 
 		defer sem.Release()

+ 11
- 6
irc/config.go Visa fil

348 
 	Autocreate   bool
 348 
 	Autocreate   bool
349 
 }
 349 
 }
350
350
351 
+type IPCheckScriptConfig struct {
352 
+	ScriptConfig `yaml:",inline"`
353 
+	ExemptSASL   bool `yaml:"exempt-sasl"`
354 
+}
355 
+
351 
 // AccountRegistrationConfig controls account registration.
 356 
 // AccountRegistrationConfig controls account registration.
352 
 type AccountRegistrationConfig struct {
 357 
 type AccountRegistrationConfig struct {
353 
 	Enabled            bool
 358 
 	Enabled            bool
587 
 		supportedCapsWithoutSTS  *caps.Set
 592 
 		supportedCapsWithoutSTS  *caps.Set
588 
 		capValues                caps.Values
 593 
 		capValues                caps.Values
589 
 		Casemapping              Casemapping
 594 
 		Casemapping              Casemapping
590 
-		EnforceUtf8              bool         `yaml:"enforce-utf8"`
591 
-		OutputPath               string       `yaml:"output-path"`
592 
-		IPCheckScript            ScriptConfig `yaml:"ip-check-script"`
593 
-		OverrideServicesHostname string       `yaml:"override-services-hostname"`
594 
-		MaxLineLen               int          `yaml:"max-line-len"`
595 
-		SuppressLusers           bool         `yaml:"suppress-lusers"`
595 
+		EnforceUtf8              bool                `yaml:"enforce-utf8"`
596 
+		OutputPath               string              `yaml:"output-path"`
597 
+		IPCheckScript            IPCheckScriptConfig `yaml:"ip-check-script"`
598 
+		OverrideServicesHostname string              `yaml:"override-services-hostname"`
599 
+		MaxLineLen               int                 `yaml:"max-line-len"`
600 
+		SuppressLusers           bool                `yaml:"suppress-lusers"`
596 
 	}
 601 
 	}
597
602
598 
 	Roleplay struct {
 603 
 	Roleplay struct {

+ 25
- 4
irc/server.go Visa fil

200 
 		server.logger.Warning("internal", "unexpected ban result", err.Error())
 200 
 		server.logger.Warning("internal", "unexpected ban result", err.Error())
201 
 	}
 201 
 	}
202
202
203 
-	if checkScripts && config.Server.IPCheckScript.Enabled {
203 
+	if checkScripts && config.Server.IPCheckScript.Enabled && !config.Server.IPCheckScript.ExemptSASL {
204 
 		output, err := CheckIPBan(server.semaphores.IPCheckScript, config.Server.IPCheckScript, ipaddr)
 204 
 		output, err := CheckIPBan(server.semaphores.IPCheckScript, config.Server.IPCheckScript, ipaddr)
205 
 		if err != nil {
 205 
 		if err != nil {
206 
 			server.logger.Error("internal", "couldn't check IP ban script", ipaddr.String(), err.Error())
 206 
 			server.logger.Error("internal", "couldn't check IP ban script", ipaddr.String(), err.Error())
267 
 	}
 267 
 	}
268 
 }
 268 
 }
269
269
270 
-//
271 
-// server functionality
272 
-//
270 
+// handles server.ip-check-script.exempt-sasl:
271 
+// run the ip check script at the end of the handshake, only for anonymous connections
272 
+func (server *Server) checkBanScriptExemptSASL(config *Config, session *Session) (outcome AuthOutcome) {
273 
+	// TODO add caching for this; see related code in (*server).checkBans;
274 
+	// we should probably just put an LRU around this instead of using the DLINE system
275 
+	ipaddr := session.IP()
276 
+	output, err := CheckIPBan(server.semaphores.IPCheckScript, config.Server.IPCheckScript, ipaddr)
277 
+	if err != nil {
278 
+		server.logger.Error("internal", "couldn't check IP ban script", ipaddr.String(), err.Error())
279 
+		return authSuccess
280 
+	}
281 
+	if output.Result == IPBanned || output.Result == IPRequireSASL {
282 
+		server.logger.Info("connect-ip", "Rejecting unauthenticated client due to ip-check-script", ipaddr.String())
283 
+		if output.BanMessage != "" {
284 
+			session.client.requireSASLMessage = output.BanMessage
285 
+		}
286 
+		return authFailSaslRequired
287 
+	}
288 
+	return authSuccess
289 
+}
273
290
274 
 func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
 291 
 func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
275 
 	// XXX PROXY or WEBIRC MUST be sent as the first line of the session;
 292 
 	// XXX PROXY or WEBIRC MUST be sent as the first line of the session;
294 
 	// before completing the other registration commands
 311 
 	// before completing the other registration commands
295 
 	config := server.Config()
 312 
 	config := server.Config()
296 
 	authOutcome := c.isAuthorized(server, config, session, c.requireSASL)
 313 
 	authOutcome := c.isAuthorized(server, config, session, c.requireSASL)
314 
+	if authOutcome == authSuccess && c.account == "" &&
315 
+		config.Server.IPCheckScript.Enabled && config.Server.IPCheckScript.ExemptSASL {
316 
+		authOutcome = server.checkBanScriptExemptSASL(config, session)
317 
+	}
297 
 	var quitMessage string
 318 
 	var quitMessage string
298 
 	switch authOutcome {
 319 
 	switch authOutcome {
299 
 	case authFailPass:
 320 
 	case authFailPass:

+ 3
- 0
traditional.yaml Visa fil

274 
         kill-timeout: 1s
 274 
         kill-timeout: 1s
275 
         # how many scripts are allowed to run at once? 0 for no limit:
 275 
         # how many scripts are allowed to run at once? 0 for no limit:
276 
         max-concurrency: 64
 276 
         max-concurrency: 64
277 
+        # if true, only check anonymous connections (not logged into an account)
278 
+        # at the very end of the handshake:
279 
+        exempt-sasl: false
277
280
278 
     # IP cloaking hides users' IP addresses from other users and from channel admins
 281 
     # IP cloaking hides users' IP addresses from other users and from channel admins
279 
     # (but not from server admins), while still allowing channel admins to ban
 282 
     # (but not from server admins), while still allowing channel admins to ban

Write Förhandsgranska
Laddar…
Avbryt
Spara