mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 70 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
902 Commits
21 Branches
Tree: 26686d7e86
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '26686d7e86'
${ noResults }
oragono/irc/accountreg.go

accountreg.go 10KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296 
  1. // Copyright (c) 2016-2017 Daniel Oaks <daniel@danieloaks.net>

  2. // released under the MIT license

  3. 

  4. package irc

  5. 

  6. import (

  7. 	"encoding/json"

  8. 	"errors"

  9. 	"fmt"

  10. 	"log"

  11. 	"strconv"

  12. 	"strings"

  13. 	"time"

  14. 

  15. 	"github.com/goshuirc/irc-go/ircfmt"

  16. 	"github.com/goshuirc/irc-go/ircmsg"

  17. 	"github.com/oragono/oragono/irc/sno"

  18. 	"github.com/tidwall/buntdb"

  19. )

  20. 

  21. var (

  22. 	errAccountCreation     = errors.New("Account could not be created")

  23. 	errCertfpAlreadyExists = errors.New("An account already exists with your certificate")

  24. )

  25. 

  26. // AccountRegistration manages the registration of accounts.

  27. type AccountRegistration struct {

  28. 	Enabled                    bool

  29. 	EnabledCallbacks           []string

  30. 	EnabledCredentialTypes     []string

  31. 	AllowMultiplePerConnection bool

  32. }

  33. 

  34. // AccountCredentials stores the various methods for verifying accounts.

  35. type AccountCredentials struct {

  36. 	PassphraseSalt []byte

  37. 	PassphraseHash []byte

  38. 	Certificate    string // fingerprint

  39. }

  40. 

  41. // NewAccountRegistration returns a new AccountRegistration, configured correctly.

  42. func NewAccountRegistration(config AccountRegistrationConfig) (accountReg AccountRegistration) {

  43. 	if config.Enabled {

  44. 		accountReg.Enabled = true

  45. 		accountReg.AllowMultiplePerConnection = config.AllowMultiplePerConnection

  46. 		for _, name := range config.EnabledCallbacks {

  47. 			// we store "none" as "*" internally

  48. 			if name == "none" {

  49. 				name = "*"

  50. 			}

  51. 			accountReg.EnabledCallbacks = append(accountReg.EnabledCallbacks, name)

  52. 		}

  53. 		// no need to make this configurable, right now at least

  54. 		accountReg.EnabledCredentialTypes = []string{

  55. 			"passphrase",

  56. 			"certfp",

  57. 		}

  58. 	}

  59. 	return accountReg

  60. }

  61. 

  62. // accHandler parses the ACC command.

  63. func accHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {

  64. 	subcommand := strings.ToLower(msg.Params[0])

  65. 

  66. 	if subcommand == "register" {

  67. 		return accRegisterHandler(server, client, msg)

  68. 	} else if subcommand == "verify" {

  69. 		client.Notice("VERIFY is not yet implemented")

  70. 	} else {

  71. 		client.Send(nil, server.name, ERR_UNKNOWNERROR, client.nick, "ACC", msg.Params[0], "Unknown subcommand")

  72. 	}

  73. 

  74. 	return false

  75. }

  76. 

  77. // removeFailedAccRegisterData removes the data created by ACC REGISTER if the account creation fails early.

  78. func removeFailedAccRegisterData(store *buntdb.DB, account string) {

  79. 	// error is ignored here, we can't do much about it anyways

  80. 	store.Update(func(tx *buntdb.Tx) error {

  81. 		tx.Delete(fmt.Sprintf(keyAccountExists, account))

  82. 		tx.Delete(fmt.Sprintf(keyAccountRegTime, account))

  83. 		tx.Delete(fmt.Sprintf(keyAccountCredentials, account))

  84. 

  85. 		return nil

  86. 	})

  87. }

  88. 

  89. // accRegisterHandler parses the ACC REGISTER command.

  90. func accRegisterHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {

  91. 	// make sure reg is enabled

  92. 	if !server.accountRegistration.Enabled {

  93. 		client.Send(nil, server.name, ERR_REG_UNSPECIFIED_ERROR, client.nick, "*", "Account registration is disabled")

  94. 		return false

  95. 	}

  96. 

  97. 	// clients can't reg new accounts if they're already logged in

  98. 	if client.LoggedIntoAccount() {

  99. 		if server.accountRegistration.AllowMultiplePerConnection {

  100. 			client.LogoutOfAccount()

  101. 		} else {

  102. 			client.Send(nil, server.name, ERR_REG_UNSPECIFIED_ERROR, client.nick, "*", "You're already logged into an account")

  103. 			return false

  104. 		}

  105. 	}

  106. 

  107. 	// get and sanitise account name

  108. 	account := strings.TrimSpace(msg.Params[1])

  109. 	casefoldedAccount, err := CasefoldName(account)

  110. 	// probably don't need explicit check for "*" here... but let's do it anyway just to make sure

  111. 	if err != nil || msg.Params[1] == "*" {

  112. 		client.Send(nil, server.name, ERR_REG_UNSPECIFIED_ERROR, client.nick, account, "Account name is not valid")

  113. 		return false

  114. 	}

  115. 

  116. 	// check whether account exists

  117. 	// do it all in one write tx to prevent races

  118. 	err = server.store.Update(func(tx *buntdb.Tx) error {

  119. 		accountKey := fmt.Sprintf(keyAccountExists, casefoldedAccount)

  120. 

  121. 		_, err := tx.Get(accountKey)

  122. 		if err != buntdb.ErrNotFound {

  123. 			//TODO(dan): if account verified key doesn't exist account is not verified, calc the maximum time without verification and expire and continue if need be

  124. 			client.Send(nil, server.name, ERR_ACCOUNT_ALREADY_EXISTS, client.nick, account, "Account already exists")

  125. 			return errAccountCreation

  126. 		}

  127. 

  128. 		registeredTimeKey := fmt.Sprintf(keyAccountRegTime, casefoldedAccount)

  129. 

  130. 		tx.Set(accountKey, "1", nil)

  131. 		tx.Set(fmt.Sprintf(keyAccountName, casefoldedAccount), account, nil)

  132. 		tx.Set(registeredTimeKey, strconv.FormatInt(time.Now().Unix(), 10), nil)

  133. 		return nil

  134. 	})

  135. 

  136. 	// account could not be created and relevant numerics have been dispatched, abort

  137. 	if err != nil {

  138. 		if err != errAccountCreation {

  139. 			client.Send(nil, server.name, ERR_UNKNOWNERROR, client.nick, "ACC", "REGISTER", "Could not register")

  140. 			log.Println("Could not save registration initial data:", err.Error())

  141. 		}

  142. 		return false

  143. 	}

  144. 

  145. 	// account didn't already exist, continue with account creation and dispatching verification (if required)

  146. 	callback := strings.ToLower(msg.Params[2])

  147. 	var callbackNamespace, callbackValue string

  148. 

  149. 	if callback == "*" {

  150. 		callbackNamespace = "*"

  151. 	} else if strings.Contains(callback, ":") {

  152. 		callbackValues := strings.SplitN(callback, ":", 2)

  153. 		callbackNamespace, callbackValue = callbackValues[0], callbackValues[1]

  154. 	} else {

  155. 		callbackNamespace = server.accountRegistration.EnabledCallbacks[0]

  156. 		callbackValue = callback

  157. 	}

  158. 

  159. 	// ensure the callback namespace is valid

  160. 	// need to search callback list, maybe look at using a map later?

  161. 	var callbackValid bool

  162. 	for _, name := range server.accountRegistration.EnabledCallbacks {

  163. 		if callbackNamespace == name {

  164. 			callbackValid = true

  165. 		}

  166. 	}

  167. 

  168. 	if !callbackValid {

  169. 		client.Send(nil, server.name, ERR_REG_INVALID_CALLBACK, client.nick, account, callbackNamespace, "Callback namespace is not supported")

  170. 		removeFailedAccRegisterData(server.store, casefoldedAccount)

  171. 		return false

  172. 	}

  173. 

  174. 	// get credential type/value

  175. 	var credentialType, credentialValue string

  176. 

  177. 	if len(msg.Params) > 4 {

  178. 		credentialType = strings.ToLower(msg.Params[3])

  179. 		credentialValue = msg.Params[4]

  180. 	} else if len(msg.Params) == 4 {

  181. 		credentialType = "passphrase" // default from the spec

  182. 		credentialValue = msg.Params[3]

  183. 	} else {

  184. 		client.Send(nil, server.name, ERR_NEEDMOREPARAMS, client.nick, msg.Command, "Not enough parameters")

  185. 		removeFailedAccRegisterData(server.store, casefoldedAccount)

  186. 		return false

  187. 	}

  188. 

  189. 	// ensure the credential type is valid

  190. 	var credentialValid bool

  191. 	for _, name := range server.accountRegistration.EnabledCredentialTypes {

  192. 		if credentialType == name {

  193. 			credentialValid = true

  194. 		}

  195. 	}

  196. 	if credentialType == "certfp" && client.certfp == "" {

  197. 		client.Send(nil, server.name, ERR_REG_INVALID_CRED_TYPE, client.nick, credentialType, callbackNamespace, "You are not using a TLS certificate")

  198. 		removeFailedAccRegisterData(server.store, casefoldedAccount)

  199. 		return false

  200. 	}

  201. 

  202. 	if !credentialValid {

  203. 		client.Send(nil, server.name, ERR_REG_INVALID_CRED_TYPE, client.nick, credentialType, callbackNamespace, "Credential type is not supported")

  204. 		removeFailedAccRegisterData(server.store, casefoldedAccount)

  205. 		return false

  206. 	}

  207. 

  208. 	// store details

  209. 	err = server.store.Update(func(tx *buntdb.Tx) error {

  210. 		// certfp special lookup key

  211. 		if credentialType == "certfp" {

  212. 			assembledKeyCertToAccount := fmt.Sprintf(keyCertToAccount, client.certfp)

  213. 

  214. 			// make sure certfp doesn't already exist because that'd be silly

  215. 			_, err := tx.Get(assembledKeyCertToAccount)

  216. 			if err != buntdb.ErrNotFound {

  217. 				return errCertfpAlreadyExists

  218. 			}

  219. 

  220. 			tx.Set(assembledKeyCertToAccount, casefoldedAccount, nil)

  221. 		}

  222. 

  223. 		// make creds

  224. 		var creds AccountCredentials

  225. 

  226. 		// always set passphrase salt

  227. 		creds.PassphraseSalt, err = NewSalt()

  228. 		if err != nil {

  229. 			return fmt.Errorf("Could not create passphrase salt: %s", err.Error())

  230. 		}

  231. 

  232. 		if credentialType == "certfp" {

  233. 			creds.Certificate = client.certfp

  234. 		} else if credentialType == "passphrase" {

  235. 			creds.PassphraseHash, err = server.passwords.GenerateFromPassword(creds.PassphraseSalt, credentialValue)

  236. 			if err != nil {

  237. 				return fmt.Errorf("Could not hash password: %s", err)

  238. 			}

  239. 		}

  240. 		credText, err := json.Marshal(creds)

  241. 		if err != nil {

  242. 			return fmt.Errorf("Could not marshal creds: %s", err)

  243. 		}

  244. 		tx.Set(fmt.Sprintf(keyAccountCredentials, account), string(credText), nil)

  245. 

  246. 		return nil

  247. 	})

  248. 

  249. 	// details could not be stored and relevant numerics have been dispatched, abort

  250. 	if err != nil {

  251. 		errMsg := "Could not register"

  252. 		if err == errCertfpAlreadyExists {

  253. 			errMsg = "An account already exists for your certificate fingerprint"

  254. 		}

  255. 		client.Send(nil, server.name, ERR_UNKNOWNERROR, client.nick, "ACC", "REGISTER", errMsg)

  256. 		log.Println("Could not save registration creds:", err.Error())

  257. 		removeFailedAccRegisterData(server.store, casefoldedAccount)

  258. 		return false

  259. 	}

  260. 

  261. 	// automatically complete registration

  262. 	if callbackNamespace == "*" {

  263. 		err = server.store.Update(func(tx *buntdb.Tx) error {

  264. 			tx.Set(fmt.Sprintf(keyAccountVerified, casefoldedAccount), "1", nil)

  265. 

  266. 			// load acct info inside store tx

  267. 			account := ClientAccount{

  268. 				Name:         strings.TrimSpace(msg.Params[1]),

  269. 				RegisteredAt: time.Now(),

  270. 				Clients:      []*Client{client},

  271. 			}

  272. 			//TODO(dan): Consider creating ircd-wide account adding/removing/affecting lock for protecting access to these sorts of variables

  273. 			server.accounts[casefoldedAccount] = &account

  274. 			client.account = &account

  275. 

  276. 			client.Send(nil, server.name, RPL_REGISTRATION_SUCCESS, client.nick, account.Name, "Account created")

  277. 			client.Send(nil, server.name, RPL_LOGGEDIN, client.nick, client.nickMaskString, account.Name, fmt.Sprintf("You are now logged in as %s", account.Name))

  278. 			client.Send(nil, server.name, RPL_SASLSUCCESS, client.nick, "Authentication successful")

  279. 			server.snomasks.Send(sno.LocalAccounts, fmt.Sprintf(ircfmt.Unescape("Account registered $c[grey][$r%s$c[grey]] by $c[grey][$r%s$c[grey]]"), account.Name, client.nickMaskString))

  280. 			return nil

  281. 		})

  282. 		if err != nil {

  283. 			client.Send(nil, server.name, ERR_UNKNOWNERROR, client.nick, "ACC", "REGISTER", "Could not register")

  284. 			log.Println("Could not save verification confirmation (*):", err.Error())

  285. 			removeFailedAccRegisterData(server.store, casefoldedAccount)

  286. 			return false

  287. 		}

  288. 

  289. 		return false

  290. 	}

  291. 

  292. 	// dispatch callback

  293. 	client.Notice(fmt.Sprintf("We should dispatch a real callback here to %s:%s", callbackNamespace, callbackValue))

  294. 

  295. 	return false

  296. }