mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 69 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
853 Commits
21 Branches
Tree: 21a061c137
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '21a061c137'
${ noResults }
oragono/irc/accounts.go

accounts.go 9.8KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328 
  1. // Copyright (c) 2016-2017 Daniel Oaks <daniel@danieloaks.net>

  2. // released under the MIT license

  3. 

  4. package irc

  5. 

  6. import (

  7. 	"bytes"

  8. 	"encoding/base64"

  9. 	"encoding/json"

  10. 	"errors"

  11. 	"fmt"

  12. 	"strconv"

  13. 	"strings"

  14. 	"time"

  15. 

  16. 	"github.com/goshuirc/irc-go/ircfmt"

  17. 	"github.com/goshuirc/irc-go/ircmsg"

  18. 	"github.com/oragono/oragono/irc/sno"

  19. 	"github.com/tidwall/buntdb"

  20. )

  21. 

  22. const (

  23. 	keyAccountExists      = "account.exists %s"

  24. 	keyAccountVerified    = "account.verified %s"

  25. 	keyAccountName        = "account.name %s" // stores the 'preferred name' of the account, not casemapped

  26. 	keyAccountRegTime     = "account.registered.time %s"

  27. 	keyAccountCredentials = "account.credentials %s"

  28. 	keyCertToAccount      = "account.creds.certfp %s"

  29. )

  30. 

  31. var (

  32. 	// EnabledSaslMechanisms contains the SASL mechanisms that exist and that we support.

  33. 	// This can be moved to some other data structure/place if we need to load/unload mechs later.

  34. 	EnabledSaslMechanisms = map[string]func(*Server, *Client, string, []byte) bool{

  35. 		"PLAIN":    authPlainHandler,

  36. 		"EXTERNAL": authExternalHandler,

  37. 	}

  38. 

  39. 	// NoAccount is a placeholder which means that the user is not logged into an account.

  40. 	NoAccount = ClientAccount{

  41. 		Name: "*", // * is used until actual account name is set

  42. 	}

  43. 

  44. 	// generic sasl fail error

  45. 	errSaslFail = errors.New("SASL failed")

  46. )

  47. 

  48. // ClientAccount represents a user account.

  49. type ClientAccount struct {

  50. 	// Name of the account.

  51. 	Name string

  52. 	// RegisteredAt represents the time that the account was registered.

  53. 	RegisteredAt time.Time

  54. 	// Clients that are currently logged into this account (useful for notifications).

  55. 	Clients []*Client

  56. }

  57. 

  58. // loadAccountCredentials loads an account's credentials from the store.

  59. func loadAccountCredentials(tx *buntdb.Tx, accountKey string) (*AccountCredentials, error) {

  60. 	credText, err := tx.Get(fmt.Sprintf(keyAccountCredentials, accountKey))

  61. 	if err != nil {

  62. 		return nil, err

  63. 	}

  64. 

  65. 	var creds AccountCredentials

  66. 	err = json.Unmarshal([]byte(credText), &creds)

  67. 	if err != nil {

  68. 		return nil, err

  69. 	}

  70. 

  71. 	return &creds, nil

  72. }

  73. 

  74. // loadAccount loads an account from the store, note that the account must actually exist.

  75. func loadAccount(server *Server, tx *buntdb.Tx, accountKey string) *ClientAccount {

  76. 	name, _ := tx.Get(fmt.Sprintf(keyAccountName, accountKey))

  77. 	regTime, _ := tx.Get(fmt.Sprintf(keyAccountRegTime, accountKey))

  78. 	regTimeInt, _ := strconv.ParseInt(regTime, 10, 64)

  79. 	accountInfo := ClientAccount{

  80. 		Name:         name,

  81. 		RegisteredAt: time.Unix(regTimeInt, 0),

  82. 		Clients:      []*Client{},

  83. 	}

  84. 	server.accounts[accountKey] = &accountInfo

  85. 

  86. 	return &accountInfo

  87. }

  88. 

  89. // authenticateHandler parses the AUTHENTICATE command (for SASL authentication).

  90. func authenticateHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {

  91. 	// sasl abort

  92. 	if !server.accountAuthenticationEnabled || len(msg.Params) == 1 && msg.Params[0] == "*" {

  93. 		client.Send(nil, server.name, ERR_SASLABORTED, client.nick, "SASL authentication aborted")

  94. 		client.saslInProgress = false

  95. 		client.saslMechanism = ""

  96. 		client.saslValue = ""

  97. 		return false

  98. 	}

  99. 

  100. 	// start new sasl session

  101. 	if !client.saslInProgress {

  102. 		mechanism := strings.ToUpper(msg.Params[0])

  103. 		_, mechanismIsEnabled := EnabledSaslMechanisms[mechanism]

  104. 

  105. 		if mechanismIsEnabled {

  106. 			client.saslInProgress = true

  107. 			client.saslMechanism = mechanism

  108. 			client.Send(nil, server.name, "AUTHENTICATE", "+")

  109. 		} else {

  110. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  111. 		}

  112. 

  113. 		return false

  114. 	}

  115. 

  116. 	// continue existing sasl session

  117. 	rawData := msg.Params[0]

  118. 

  119. 	if len(rawData) > 400 {

  120. 		client.Send(nil, server.name, ERR_SASLTOOLONG, client.nick, "SASL message too long")

  121. 		client.saslInProgress = false

  122. 		client.saslMechanism = ""

  123. 		client.saslValue = ""

  124. 		return false

  125. 	} else if len(rawData) == 400 {

  126. 		client.saslValue += rawData

  127. 		// allow 4 'continuation' lines before rejecting for length

  128. 		if len(client.saslValue) > 400*4 {

  129. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Passphrase too long")

  130. 			client.saslInProgress = false

  131. 			client.saslMechanism = ""

  132. 			client.saslValue = ""

  133. 			return false

  134. 		}

  135. 		return false

  136. 	}

  137. 	if rawData != "+" {

  138. 		client.saslValue += rawData

  139. 	}

  140. 

  141. 	var data []byte

  142. 	var err error

  143. 	if client.saslValue != "+" {

  144. 		data, err = base64.StdEncoding.DecodeString(client.saslValue)

  145. 		if err != nil {

  146. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Invalid b64 encoding")

  147. 			client.saslInProgress = false

  148. 			client.saslMechanism = ""

  149. 			client.saslValue = ""

  150. 			return false

  151. 		}

  152. 	}

  153. 

  154. 	// call actual handler

  155. 	handler, handlerExists := EnabledSaslMechanisms[client.saslMechanism]

  156. 

  157. 	// like 100% not required, but it's good to be safe I guess

  158. 	if !handlerExists {

  159. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  160. 		client.saslInProgress = false

  161. 		client.saslMechanism = ""

  162. 		client.saslValue = ""

  163. 		return false

  164. 	}

  165. 

  166. 	// let the SASL handler do its thing

  167. 	exiting := handler(server, client, client.saslMechanism, data)

  168. 

  169. 	// wait 'til SASL is done before emptying the sasl vars

  170. 	client.saslInProgress = false

  171. 	client.saslMechanism = ""

  172. 	client.saslValue = ""

  173. 

  174. 	return exiting

  175. }

  176. 

  177. // authPlainHandler parses the SASL PLAIN mechanism.

  178. func authPlainHandler(server *Server, client *Client, mechanism string, value []byte) bool {

  179. 	splitValue := bytes.Split(value, []byte{'\000'})

  180. 

  181. 	var accountKey, authzid string

  182. 

  183. 	if len(splitValue) == 3 {

  184. 		accountKey = string(splitValue[0])

  185. 		authzid = string(splitValue[1])

  186. 

  187. 		if accountKey == "" {

  188. 			accountKey = authzid

  189. 		} else if accountKey != authzid {

  190. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: authcid and authzid should be the same")

  191. 			return false

  192. 		}

  193. 	} else {

  194. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Invalid auth blob")

  195. 		return false

  196. 	}

  197. 

  198. 	// keep it the same as in the REG CREATE stage

  199. 	accountKey, err := CasefoldName(accountKey)

  200. 	if err != nil {

  201. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Bad account name")

  202. 		return false

  203. 	}

  204. 

  205. 	// load and check acct data all in one update to prevent races.

  206. 	// as noted elsewhere, change to proper locking for Account type later probably

  207. 	err = server.store.Update(func(tx *buntdb.Tx) error {

  208. 		// confirm account is verified

  209. 		_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))

  210. 		if err != nil {

  211. 			return errSaslFail

  212. 		}

  213. 

  214. 		creds, err := loadAccountCredentials(tx, accountKey)

  215. 		if err != nil {

  216. 			return err

  217. 		}

  218. 

  219. 		// ensure creds are valid

  220. 		password := string(splitValue[2])

  221. 		if len(creds.PassphraseHash) < 1 || len(creds.PassphraseSalt) < 1 || len(password) < 1 {

  222. 			return errSaslFail

  223. 		}

  224. 		err = server.passwords.CompareHashAndPassword(creds.PassphraseHash, creds.PassphraseSalt, password)

  225. 

  226. 		// succeeded, load account info if necessary

  227. 		account, exists := server.accounts[accountKey]

  228. 		if !exists {

  229. 			account = loadAccount(server, tx, accountKey)

  230. 		}

  231. 

  232. 		client.LoginToAccount(account)

  233. 

  234. 		return err

  235. 	})

  236. 

  237. 	if err != nil {

  238. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  239. 		return false

  240. 	}

  241. 

  242. 	client.successfulSaslAuth()

  243. 	return false

  244. }

  245. 

  246. // LoginToAccount logs the client into the given account.

  247. func (client *Client) LoginToAccount(account *ClientAccount) {

  248. 	if client.account == account {

  249. 		// already logged into this acct, no changing necessary

  250. 		return

  251. 	} else if client.account != nil {

  252. 		// logout of existing acct

  253. 		var newClientAccounts []*Client

  254. 		for _, c := range account.Clients {

  255. 			if c != client {

  256. 				newClientAccounts = append(newClientAccounts, c)

  257. 			}

  258. 		}

  259. 		account.Clients = newClientAccounts

  260. 	}

  261. 

  262. 	account.Clients = append(account.Clients, client)

  263. 	client.account = account

  264. 	client.server.snomasks.Send(sno.LocalAccounts, fmt.Sprintf(ircfmt.Unescape("Client $c[grey][$r%s$c[grey]] logged into account $c[grey][$r%s$c[grey]]"), client.nickMaskString, account.Name))

  265. }

  266. 

  267. // authExternalHandler parses the SASL EXTERNAL mechanism.

  268. func authExternalHandler(server *Server, client *Client, mechanism string, value []byte) bool {

  269. 	if client.certfp == "" {

  270. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed, you are not connecting with a caertificate")

  271. 		return false

  272. 	}

  273. 

  274. 	err := server.store.Update(func(tx *buntdb.Tx) error {

  275. 		// certfp lookup key

  276. 		accountKey, err := tx.Get(fmt.Sprintf(keyCertToAccount, client.certfp))

  277. 		if err != nil {

  278. 			return errSaslFail

  279. 		}

  280. 

  281. 		// confirm account exists

  282. 		_, err = tx.Get(fmt.Sprintf(keyAccountExists, accountKey))

  283. 		if err != nil {

  284. 			return errSaslFail

  285. 		}

  286. 

  287. 		// confirm account is verified

  288. 		_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))

  289. 		if err != nil {

  290. 			return errSaslFail

  291. 		}

  292. 

  293. 		// confirm the certfp in that account's credentials

  294. 		creds, err := loadAccountCredentials(tx, accountKey)

  295. 		if err != nil || creds.Certificate != client.certfp {

  296. 			return errSaslFail

  297. 		}

  298. 

  299. 		// succeeded, load account info if necessary

  300. 		account, exists := server.accounts[accountKey]

  301. 		if !exists {

  302. 			account = loadAccount(server, tx, accountKey)

  303. 		}

  304. 

  305. 		client.LoginToAccount(account)

  306. 

  307. 		return nil

  308. 	})

  309. 

  310. 	if err != nil {

  311. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  312. 		return false

  313. 	}

  314. 

  315. 	client.successfulSaslAuth()

  316. 	return false

  317. }

  318. 

  319. // successfulSaslAuth means that a SASL auth attempt completed successfully, and is used to dispatch messages.

  320. func (client *Client) successfulSaslAuth() {

  321. 	client.Send(nil, client.server.name, RPL_LOGGEDIN, client.nick, client.nickMaskString, client.account.Name, fmt.Sprintf("You are now logged in as %s", client.account.Name))

  322. 	client.Send(nil, client.server.name, RPL_SASLSUCCESS, client.nick, "SASL authentication successful")

  323. 

  324. 	// dispatch account-notify

  325. 	for friend := range client.Friends(AccountNotify) {

  326. 		friend.Send(nil, client.nickMaskString, "ACCOUNT", client.account.Name)

  327. 	}

  328. }