mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 69 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
729 Commits
21 Branches
Tree: 317a804644
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '317a804644'
${ noResults }
oragono/irc/accounts.go

accounts.go 9.6KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329 
  1. // Copyright (c) 2016-2017 Daniel Oaks <daniel@danieloaks.net>

  2. // released under the MIT license

  3. 

  4. package irc

  5. 

  6. import (

  7. 	"bytes"

  8. 	"encoding/base64"

  9. 	"encoding/json"

  10. 	"errors"

  11. 	"fmt"

  12. 	"strconv"

  13. 	"strings"

  14. 	"time"

  15. 

  16. 	"github.com/DanielOaks/girc-go/ircmsg"

  17. 	"github.com/tidwall/buntdb"

  18. )

  19. 

  20. const (

  21. 	keyAccountExists      = "account.exists %s"

  22. 	keyAccountVerified    = "account.verified %s"

  23. 	keyAccountName        = "account.name %s" // stores the 'preferred name' of the account, not casemapped

  24. 	keyAccountRegTime     = "account.registered.time %s"

  25. 	keyAccountCredentials = "account.credentials %s"

  26. 	keyCertToAccount      = "account.creds.certfp %s"

  27. )

  28. 

  29. var (

  30. 	// EnabledSaslMechanisms contains the SASL mechanisms that exist and that we support.

  31. 	// This can be moved to some other data structure/place if we need to load/unload mechs later.

  32. 	EnabledSaslMechanisms = map[string]func(*Server, *Client, string, []byte) bool{

  33. 		"PLAIN":    authPlainHandler,

  34. 		"EXTERNAL": authExternalHandler,

  35. 	}

  36. 

  37. 	// NoAccount is a placeholder which means that the user is not logged into an account.

  38. 	NoAccount = ClientAccount{

  39. 		Name: "*", // * is used until actual account name is set

  40. 	}

  41. 

  42. 	// generic sasl fail error

  43. 	errSaslFail = errors.New("SASL failed")

  44. )

  45. 

  46. // ClientAccount represents a user account.

  47. type ClientAccount struct {

  48. 	// Name of the account.

  49. 	Name string

  50. 	// RegisteredAt represents the time that the account was registered.

  51. 	RegisteredAt time.Time

  52. 	// Clients that are currently logged into this account (useful for notifications).

  53. 	Clients []*Client

  54. }

  55. 

  56. // loadAccountCredentials loads an account's credentials from the store.

  57. func loadAccountCredentials(tx *buntdb.Tx, accountKey string) (*AccountCredentials, error) {

  58. 	credText, err := tx.Get(fmt.Sprintf(keyAccountCredentials, accountKey))

  59. 	if err != nil {

  60. 		return nil, err

  61. 	}

  62. 

  63. 	var creds AccountCredentials

  64. 	err = json.Unmarshal([]byte(credText), &creds)

  65. 	if err != nil {

  66. 		return nil, err

  67. 	}

  68. 

  69. 	return &creds, nil

  70. }

  71. 

  72. // loadAccount loads an account from the store, note that the account must actually exist.

  73. func loadAccount(server *Server, tx *buntdb.Tx, accountKey string) *ClientAccount {

  74. 	name, _ := tx.Get(fmt.Sprintf(keyAccountName, accountKey))

  75. 	regTime, _ := tx.Get(fmt.Sprintf(keyAccountRegTime, accountKey))

  76. 	regTimeInt, _ := strconv.ParseInt(regTime, 10, 64)

  77. 	accountInfo := ClientAccount{

  78. 		Name:         name,

  79. 		RegisteredAt: time.Unix(regTimeInt, 0),

  80. 		Clients:      []*Client{},

  81. 	}

  82. 	server.accounts[accountKey] = &accountInfo

  83. 

  84. 	return &accountInfo

  85. }

  86. 

  87. // authenticateHandler parses the AUTHENTICATE command (for SASL authentication).

  88. func authenticateHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {

  89. 	// sasl abort

  90. 	if !server.accountAuthenticationEnabled || len(msg.Params) == 1 && msg.Params[0] == "*" {

  91. 		if client.saslInProgress {

  92. 			client.Send(nil, server.name, ERR_SASLABORTED, client.nick, "SASL authentication aborted")

  93. 		} else {

  94. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  95. 		}

  96. 		client.saslInProgress = false

  97. 		client.saslMechanism = ""

  98. 		client.saslValue = ""

  99. 		return false

  100. 	}

  101. 

  102. 	// start new sasl session

  103. 	if !client.saslInProgress {

  104. 		mechanism := strings.ToUpper(msg.Params[0])

  105. 		_, mechanismIsEnabled := EnabledSaslMechanisms[mechanism]

  106. 

  107. 		if mechanismIsEnabled {

  108. 			client.saslInProgress = true

  109. 			client.saslMechanism = mechanism

  110. 			client.Send(nil, server.name, "AUTHENTICATE", "+")

  111. 		} else {

  112. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  113. 		}

  114. 

  115. 		return false

  116. 	}

  117. 

  118. 	// continue existing sasl session

  119. 	rawData := msg.Params[0]

  120. 

  121. 	if len(rawData) > 400 {

  122. 		client.Send(nil, server.name, ERR_SASLTOOLONG, client.nick, "SASL message too long")

  123. 		client.saslInProgress = false

  124. 		client.saslMechanism = ""

  125. 		client.saslValue = ""

  126. 		return false

  127. 	} else if len(rawData) == 400 {

  128. 		client.saslValue += rawData

  129. 		// allow 4 'continuation' lines before rejecting for length

  130. 		if len(client.saslValue) > 400*4 {

  131. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Passphrase too long")

  132. 			client.saslInProgress = false

  133. 			client.saslMechanism = ""

  134. 			client.saslValue = ""

  135. 			return false

  136. 		}

  137. 		return false

  138. 	}

  139. 	if rawData != "+" {

  140. 		client.saslValue += rawData

  141. 	}

  142. 

  143. 	var data []byte

  144. 	var err error

  145. 	if client.saslValue != "+" {

  146. 		data, err = base64.StdEncoding.DecodeString(client.saslValue)

  147. 		if err != nil {

  148. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Invalid b64 encoding")

  149. 			client.saslInProgress = false

  150. 			client.saslMechanism = ""

  151. 			client.saslValue = ""

  152. 			return false

  153. 		}

  154. 	}

  155. 

  156. 	// call actual handler

  157. 	handler, handlerExists := EnabledSaslMechanisms[client.saslMechanism]

  158. 

  159. 	// like 100% not required, but it's good to be safe I guess

  160. 	if !handlerExists {

  161. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  162. 		client.saslInProgress = false

  163. 		client.saslMechanism = ""

  164. 		client.saslValue = ""

  165. 		return false

  166. 	}

  167. 

  168. 	// let the SASL handler do its thing

  169. 	exiting := handler(server, client, client.saslMechanism, data)

  170. 

  171. 	// wait 'til SASL is done before emptying the sasl vars

  172. 	client.saslInProgress = false

  173. 	client.saslMechanism = ""

  174. 	client.saslValue = ""

  175. 

  176. 	return exiting

  177. }

  178. 

  179. // authPlainHandler parses the SASL PLAIN mechanism.

  180. func authPlainHandler(server *Server, client *Client, mechanism string, value []byte) bool {

  181. 	splitValue := bytes.Split(value, []byte{'\000'})

  182. 

  183. 	var accountKey, authzid string

  184. 

  185. 	if len(splitValue) == 3 {

  186. 		accountKey = string(splitValue[0])

  187. 		authzid = string(splitValue[1])

  188. 

  189. 		if accountKey == "" {

  190. 			accountKey = authzid

  191. 		} else if accountKey != authzid {

  192. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: authcid and authzid should be the same")

  193. 			return false

  194. 		}

  195. 	} else {

  196. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Invalid auth blob")

  197. 		return false

  198. 	}

  199. 

  200. 	// keep it the same as in the REG CREATE stage

  201. 	accountKey, err := CasefoldName(accountKey)

  202. 	if err != nil {

  203. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Bad account name")

  204. 		return false

  205. 	}

  206. 

  207. 	// load and check acct data all in one update to prevent races.

  208. 	// as noted elsewhere, change to proper locking for Account type later probably

  209. 	err = server.store.Update(func(tx *buntdb.Tx) error {

  210. 		// confirm account is verified

  211. 		_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))

  212. 		if err != nil {

  213. 			return errSaslFail

  214. 		}

  215. 

  216. 		creds, err := loadAccountCredentials(tx, accountKey)

  217. 		if err != nil {

  218. 			return err

  219. 		}

  220. 

  221. 		// ensure creds are valid

  222. 		password := string(splitValue[2])

  223. 		if len(creds.PassphraseHash) < 1 || len(creds.PassphraseSalt) < 1 || len(password) < 1 {

  224. 			return errSaslFail

  225. 		}

  226. 		err = server.passwords.CompareHashAndPassword(creds.PassphraseHash, creds.PassphraseSalt, password)

  227. 

  228. 		// succeeded, load account info if necessary

  229. 		account, exists := server.accounts[accountKey]

  230. 		if !exists {

  231. 			account = loadAccount(server, tx, accountKey)

  232. 		}

  233. 

  234. 		client.LoginToAccount(account)

  235. 

  236. 		return err

  237. 	})

  238. 

  239. 	if err != nil {

  240. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  241. 		return false

  242. 	}

  243. 

  244. 	client.successfulSaslAuth()

  245. 	return false

  246. }

  247. 

  248. // LoginToAccount logs the client into the given account.

  249. func (client *Client) LoginToAccount(account *ClientAccount) {

  250. 	if client.account == account {

  251. 		// already logged into this acct, no changing necessary

  252. 		return

  253. 	} else if client.account != nil {

  254. 		// logout of existing acct

  255. 		var newClientAccounts []*Client

  256. 		for _, c := range account.Clients {

  257. 			if c != client {

  258. 				newClientAccounts = append(newClientAccounts, c)

  259. 			}

  260. 		}

  261. 		account.Clients = newClientAccounts

  262. 	}

  263. 

  264. 	account.Clients = append(account.Clients, client)

  265. 	client.account = account

  266. }

  267. 

  268. // authExternalHandler parses the SASL EXTERNAL mechanism.

  269. func authExternalHandler(server *Server, client *Client, mechanism string, value []byte) bool {

  270. 	if client.certfp == "" {

  271. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed, you are not connecting with a caertificate")

  272. 		return false

  273. 	}

  274. 

  275. 	err := server.store.Update(func(tx *buntdb.Tx) error {

  276. 		// certfp lookup key

  277. 		accountKey, err := tx.Get(fmt.Sprintf(keyCertToAccount, client.certfp))

  278. 		if err != nil {

  279. 			return errSaslFail

  280. 		}

  281. 

  282. 		// confirm account exists

  283. 		_, err = tx.Get(fmt.Sprintf(keyAccountExists, accountKey))

  284. 		if err != nil {

  285. 			return errSaslFail

  286. 		}

  287. 

  288. 		// confirm account is verified

  289. 		_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))

  290. 		if err != nil {

  291. 			return errSaslFail

  292. 		}

  293. 

  294. 		// confirm the certfp in that account's credentials

  295. 		creds, err := loadAccountCredentials(tx, accountKey)

  296. 		if err != nil || creds.Certificate != client.certfp {

  297. 			return errSaslFail

  298. 		}

  299. 

  300. 		// succeeded, load account info if necessary

  301. 		account, exists := server.accounts[accountKey]

  302. 		if !exists {

  303. 			account = loadAccount(server, tx, accountKey)

  304. 		}

  305. 

  306. 		client.LoginToAccount(account)

  307. 

  308. 		return nil

  309. 	})

  310. 

  311. 	if err != nil {

  312. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  313. 		return false

  314. 	}

  315. 

  316. 	client.successfulSaslAuth()

  317. 	return false

  318. }

  319. 

  320. // successfulSaslAuth means that a SASL auth attempt completed successfully, and is used to dispatch messages.

  321. func (c *Client) successfulSaslAuth() {

  322. 	c.Send(nil, c.server.name, RPL_LOGGEDIN, c.nick, c.nickMaskString, c.account.Name, fmt.Sprintf("You are now logged in as %s", c.account.Name))

  323. 	c.Send(nil, c.server.name, RPL_SASLSUCCESS, c.nick, "SASL authentication successful")

  324. 

  325. 	// dispatch account-notify

  326. 	for friend := range c.Friends(AccountNotify) {

  327. 		friend.Send(nil, c.nickMaskString, "ACCOUNT", c.account.Name)

  328. 	}

  329. }