mirror
/
oragono
spogulis no https://github.com/oragono/oragono
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Laidieni 67 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
2625 Revīzijas
20 Atzari
Koks: 33dac4c0ba
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '33dac4c0ba'
${ noResults }
oragono/irc/nickserv.go

nickserv.go 35KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047 
  1. // Copyright (c) 2017 Daniel Oaks <daniel@danieloaks.net>

  2. // released under the MIT license

  3. 

  4. package irc

  5. 

  6. import (

  7. 	"fmt"

  8. 	"strconv"

  9. 	"strings"

  10. 	"time"

  11. 

  12. 	"github.com/goshuirc/irc-go/ircfmt"

  13. 

  14. 	"github.com/oragono/oragono/irc/modes"

  15. 	"github.com/oragono/oragono/irc/passwd"

  16. 	"github.com/oragono/oragono/irc/sno"

  17. 	"github.com/oragono/oragono/irc/utils"

  18. )

  19. 

  20. // "enabled" callbacks for specific nickserv commands

  21. func servCmdRequiresAccreg(config *Config) bool {

  22. 	return config.Accounts.Registration.Enabled

  23. }

  24. 

  25. func servCmdRequiresAuthEnabled(config *Config) bool {

  26. 	return config.Accounts.AuthenticationEnabled

  27. }

  28. 

  29. func servCmdRequiresNickRes(config *Config) bool {

  30. 	return config.Accounts.AuthenticationEnabled && config.Accounts.NickReservation.Enabled

  31. }

  32. 

  33. func servCmdRequiresBouncerEnabled(config *Config) bool {

  34. 	return config.Accounts.Bouncer.Enabled

  35. }

  36. 

  37. const (

  38. 	nsPrefix = "NickServ!NickServ@localhost"

  39. 	// ZNC's nickserv module will not detect this unless it is:

  40. 	// 1. sent with prefix `nickserv`

  41. 	// 2. contains the string "identify"

  42. 	// 3. contains at least one of several other magic strings ("msg" works)

  43. 	nsTimeoutNotice = `This nickname is reserved. Please login within %v (using $b/msg NickServ IDENTIFY <password>$b or SASL), or switch to a different nickname.`

  44. )

  45. 

  46. const nickservHelp = `NickServ lets you register, log in to, and manage an account.`

  47. 

  48. var (

  49. 	nickservCommands = map[string]*serviceCommand{

  50. 		"drop": {

  51. 			handler: nsDropHandler,

  52. 			help: `Syntax: $bDROP [nickname]$b

  53. 

  54. DROP de-links the given (or your current) nickname from your user account.`,

  55. 			helpShort:    `$bDROP$b de-links your current (or the given) nickname from your user account.`,

  56. 			enabled:      servCmdRequiresNickRes,

  57. 			authRequired: true,

  58. 		},

  59. 		"enforce": {

  60. 			hidden:  true,

  61. 			handler: nsEnforceHandler,

  62. 			help: `Syntax: $bENFORCE [method]$b

  63. 

  64. ENFORCE is an alias for $bGET enforce$b and $bSET enforce$b. See the help

  65. entry for $bSET$b for more information.`,

  66. 			authRequired: true,

  67. 			enabled:      servCmdRequiresAccreg,

  68. 		},

  69. 		"ghost": {

  70. 			handler: nsGhostHandler,

  71. 			help: `Syntax: $bGHOST <nickname>$b

  72. 

  73. GHOST disconnects the given user from the network if they're logged in with the

  74. same user account, letting you reclaim your nickname.`,

  75. 			helpShort:    `$bGHOST$b reclaims your nickname.`,

  76. 			enabled:      servCmdRequiresNickRes,

  77. 			authRequired: true,

  78. 			minParams:    1,

  79. 		},

  80. 		"group": {

  81. 			handler: nsGroupHandler,

  82. 			help: `Syntax: $bGROUP$b

  83. 

  84. GROUP links your current nickname with your logged-in account, so other people

  85. will not be able to use it.`,

  86. 			helpShort:    `$bGROUP$b links your current nickname to your user account.`,

  87. 			enabled:      servCmdRequiresNickRes,

  88. 			authRequired: true,

  89. 		},

  90. 		"identify": {

  91. 			handler: nsIdentifyHandler,

  92. 			help: `Syntax: $bIDENTIFY <username> [password]$b

  93. 

  94. IDENTIFY lets you login to the given username using either password auth, or

  95. certfp (your client certificate) if a password is not given.`,

  96. 			helpShort: `$bIDENTIFY$b lets you login to your account.`,

  97. 			enabled:   servCmdRequiresAuthEnabled,

  98. 			minParams: 1,

  99. 		},

  100. 		"info": {

  101. 			handler: nsInfoHandler,

  102. 			help: `Syntax: $bINFO [username]$b

  103. 

  104. INFO gives you information about the given (or your own) user account.`,

  105. 			helpShort: `$bINFO$b gives you information on a user account.`,

  106. 		},

  107. 		"register": {

  108. 			handler: nsRegisterHandler,

  109. 			// TODO: "email" is an oversimplification here; it's actually any callback, e.g.,

  110. 			// person@example.com, mailto:person@example.com, tel:16505551234.

  111. 			help: `Syntax: $bREGISTER <password> [email]$b

  112. 

  113. REGISTER lets you register your current nickname as a user account. If the

  114. server allows anonymous registration, you can omit the e-mail address.

  115. 

  116. If you are currently logged in with a TLS client certificate and wish to use

  117. it instead of a password to log in, send * as the password.`,

  118. 			helpShort: `$bREGISTER$b lets you register a user account.`,

  119. 			enabled:   servCmdRequiresAccreg,

  120. 			minParams: 1,

  121. 			maxParams: 2,

  122. 		},

  123. 		"sadrop": {

  124. 			handler: nsDropHandler,

  125. 			help: `Syntax: $bSADROP <nickname>$b

  126. 

  127. SADROP forcibly de-links the given nickname from the attached user account.`,

  128. 			helpShort: `$bSADROP$b forcibly de-links the given nickname from its user account.`,

  129. 			capabs:    []string{"accreg"},

  130. 			enabled:   servCmdRequiresNickRes,

  131. 			minParams: 1,

  132. 		},

  133. 		"saregister": {

  134. 			handler: nsSaregisterHandler,

  135. 			help: `Syntax: $bSAREGISTER <username> [password]$b

  136. 

  137. SAREGISTER registers an account on someone else's behalf.

  138. This is for use in configurations that require SASL for all connections;

  139. an administrator can set use this command to set up user accounts.`,

  140. 			helpShort: `$bSAREGISTER$b registers an account on someone else's behalf.`,

  141. 			enabled:   servCmdRequiresAuthEnabled,

  142. 			capabs:    []string{"accreg"},

  143. 			minParams: 1,

  144. 		},

  145. 		"sessions": {

  146. 			handler: nsSessionsHandler,

  147. 			help: `Syntax: $bSESSIONS [nickname]$b

  148. 

  149. SESSIONS lists information about the sessions currently attached, via

  150. the server's bouncer functionality, to your nickname. An administrator

  151. can use this command to list another user's sessions.`,

  152. 			helpShort: `$bSESSIONS$b lists the sessions attached to a nickname.`,

  153. 			enabled:   servCmdRequiresBouncerEnabled,

  154. 		},

  155. 		"unregister": {

  156. 			handler: nsUnregisterHandler,

  157. 			help: `Syntax: $bUNREGISTER <username> [code]$b

  158. 

  159. UNREGISTER lets you delete your user account (or someone else's, if you're an

  160. IRC operator with the correct permissions). To prevent accidental

  161. unregistrations, a verification code is required; invoking the command without

  162. a code will display the necessary code.`,

  163. 			helpShort: `$bUNREGISTER$b lets you delete your user account.`,

  164. 			enabled:   servCmdRequiresAuthEnabled,

  165. 			minParams: 1,

  166. 		},

  167. 		"verify": {

  168. 			handler: nsVerifyHandler,

  169. 			help: `Syntax: $bVERIFY <username> <code>$b

  170. 

  171. VERIFY lets you complete an account registration, if the server requires email

  172. or other verification.`,

  173. 			helpShort: `$bVERIFY$b lets you complete account registration.`,

  174. 			enabled:   servCmdRequiresAccreg,

  175. 			minParams: 2,

  176. 		},

  177. 		"passwd": {

  178. 			handler: nsPasswdHandler,

  179. 			help: `Syntax: $bPASSWD <current> <new> <new_again>$b

  180. Or:     $bPASSWD <username> <new>$b

  181. 

  182. PASSWD lets you change your account password. You must supply your current

  183. password and confirm the new one by typing it twice. If you're an IRC operator

  184. with the correct permissions, you can use PASSWD to reset someone else's

  185. password by supplying their username and then the desired password. To

  186. indicate an empty password, use * instead.`,

  187. 			helpShort: `$bPASSWD$b lets you change your password.`,

  188. 			enabled:   servCmdRequiresAuthEnabled,

  189. 			minParams: 2,

  190. 		},

  191. 		"get": {

  192. 			handler: nsGetHandler,

  193. 			help: `Syntax: $bGET <setting>$b

  194. 

  195. GET queries the current values of your account settings. For more information

  196. on the settings and their possible values, see HELP SET.`,

  197. 			helpShort:    `$bGET$b queries the current values of your account settings`,

  198. 			authRequired: true,

  199. 			enabled:      servCmdRequiresAccreg,

  200. 			minParams:    1,

  201. 		},

  202. 		"saget": {

  203. 			handler: nsGetHandler,

  204. 			help: `Syntax: $bSAGET <account> <setting>$b

  205. 

  206. SAGET queries the values of someone else's account settings. For more

  207. information on the settings and their possible values, see HELP SET.`,

  208. 			helpShort: `$bSAGET$b queries the current values of another user's account settings`,

  209. 			enabled:   servCmdRequiresAccreg,

  210. 			minParams: 2,

  211. 			capabs:    []string{"accreg"},

  212. 		},

  213. 		"set": {

  214. 			handler:   nsSetHandler,

  215. 			helpShort: `$bSET$b modifies your account settings`,

  216. 			// these are broken out as separate strings so they can be translated separately

  217. 			helpStrings: []string{

  218. 				`Syntax $bSET <setting> <value>$b

  219. 

  220. SET modifies your account settings. The following settings are available:`,

  221. 

  222. 				`$bENFORCE$b

  223. 'enforce' lets you specify a custom enforcement mechanism for your registered

  224. nicknames. Your options are:

  225. 1. 'none'    [no enforcement, overriding the server default]

  226. 2. 'timeout' [anyone using the nick must authenticate before a deadline,

  227.               or else they will be renamed]

  228. 3. 'strict'  [you must already be authenticated to use the nick]

  229. 4. 'default' [use the server default]`,

  230. 

  231. 				`$bBOUNCER$b

  232. If 'bouncer' is enabled and you are already logged in and using a nick, a

  233. second client of yours that authenticates with SASL and requests the same nick

  234. is allowed to attach to the nick as well (this is comparable to the behavior

  235. of IRC "bouncers" like ZNC). Your options are 'on' (allow this behavior),

  236. 'off' (disallow it), and 'default' (use the server default value).`,

  237. 

  238. 				`$bAUTOREPLAY-LINES$b

  239. 'autoreplay-lines' controls the number of lines of channel history that will

  240. be replayed to you automatically when joining a channel. Your options are any

  241. positive number, 0 to disable the feature, and 'default' to use the server

  242. default.`,

  243. 

  244. 				`$bREPLAY-JOINS$b

  245. 'replay-joins' controls whether replayed channel history will include

  246. lines for join and part. This provides more information about the context of

  247. messages, but may be spammy. Your options are 'always', 'never', and the default

  248. of 'commands-only' (the messages will be replayed in /HISTORY output, but not

  249. during autoreplay).`,

  250. 				`$bALWAYS-ON$b

  251. 'always-on' controls whether your nickname/identity will remain active

  252. even while you are disconnected from the server. Your options are 'true',

  253. 'false', and 'default' (use the server default value).`,

  254. 				`$bAUTOREPLAY-MISSED$b

  255. 'autoreplay-missed' is only effective for always-on clients. If enabled,

  256. if you have at most one active session, the server will remember the time

  257. you disconnect and then replay missed messages to you when you reconnect.

  258. Your options are 'on' and 'off'.`,

  259. 				`$bDM-HISTORY$b

  260. 'dm-history' is only effective for always-on clients. It lets you control

  261. how the history of your direct messages is stored. Your options are:

  262. 1. 'off'        [no history]

  263. 2. 'ephemeral'  [a limited amount of temporary history, not stored on disk]

  264. 3. 'on'         [history stored in a permanent database, if available]

  265. 4. 'default'    [use the server default]`,

  266. 			},

  267. 			authRequired: true,

  268. 			enabled:      servCmdRequiresAccreg,

  269. 			minParams:    2,

  270. 		},

  271. 		"saset": {

  272. 			handler: nsSetHandler,

  273. 			help: `Syntax: $bSASET <account> <setting> <value>$b

  274. 

  275. SASET modifies the values of someone else's account settings. For more

  276. information on the settings and their possible values, see HELP SET.`,

  277. 			helpShort: `$bSASET$b modifies another user's account settings`,

  278. 			enabled:   servCmdRequiresAccreg,

  279. 			minParams: 3,

  280. 			capabs:    []string{"accreg"},

  281. 		},

  282. 		"cert": {

  283. 			handler: nsCertHandler,

  284. 			help: `Syntax: $bCERT <LIST | ADD | DEL> [account] [certfp]$b

  285. 

  286. CERT examines or modifies the TLS certificate fingerprints that can be used to

  287. log into an account. Specifically, $bCERT LIST$b lists the authorized

  288. fingerprints, $bCERT ADD <fingerprint>$b adds a new fingerprint, and

  289. $bCERT DEL <fingerprint>$b removes a fingerprint. If you're an IRC operator

  290. with the correct permissions, you can act on another user's account, for

  291. example with $bCERT ADD <account> <fingerprint>$b.`,

  292. 			helpShort: `$bCERT$b controls a user account's certificate fingerprints`,

  293. 			enabled:   servCmdRequiresAuthEnabled,

  294. 			minParams: 1,

  295. 		},

  296. 	}

  297. )

  298. 

  299. // nsNotice sends the client a notice from NickServ

  300. func nsNotice(rb *ResponseBuffer, text string) {

  301. 	// XXX i can't figure out how to use OragonoServices[servicename].prefix here

  302. 	// without creating a compile-time initialization loop

  303. 	rb.Add(nil, nsPrefix, "NOTICE", rb.target.Nick(), text)

  304. }

  305. 

  306. func nsGetHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  307. 	var account string

  308. 	if command == "saget" {

  309. 		account = params[0]

  310. 		params = params[1:]

  311. 	} else {

  312. 		account = client.Account()

  313. 	}

  314. 

  315. 	accountData, err := server.accounts.LoadAccount(account)

  316. 	if err == errAccountDoesNotExist {

  317. 		nsNotice(rb, client.t("No such account"))

  318. 		return

  319. 	} else if err != nil {

  320. 		nsNotice(rb, client.t("Error loading account data"))

  321. 		return

  322. 	}

  323. 

  324. 	displaySetting(params[0], accountData.Settings, client, rb)

  325. }

  326. 

  327. func displaySetting(settingName string, settings AccountSettings, client *Client, rb *ResponseBuffer) {

  328. 	config := client.server.Config()

  329. 	switch strings.ToLower(settingName) {

  330. 	case "enforce":

  331. 		storedValue := settings.NickEnforcement

  332. 		serializedStoredValue := nickReservationToString(storedValue)

  333. 		nsNotice(rb, fmt.Sprintf(client.t("Your stored nickname enforcement setting is: %s"), serializedStoredValue))

  334. 		serializedActualValue := nickReservationToString(configuredEnforcementMethod(config, storedValue))

  335. 		nsNotice(rb, fmt.Sprintf(client.t("Given current server settings, your nickname is enforced with: %s"), serializedActualValue))

  336. 	case "autoreplay-lines":

  337. 		if settings.AutoreplayLines == nil {

  338. 			nsNotice(rb, fmt.Sprintf(client.t("You will receive the server default of %d lines of autoreplayed history"), config.History.AutoreplayOnJoin))

  339. 		} else {

  340. 			nsNotice(rb, fmt.Sprintf(client.t("You will receive %d lines of autoreplayed history"), *settings.AutoreplayLines))

  341. 		}

  342. 	case "replay-joins":

  343. 		switch settings.ReplayJoins {

  344. 		case ReplayJoinsCommandsOnly:

  345. 			nsNotice(rb, client.t("You will see JOINs and PARTs in /HISTORY output, but not in autoreplay"))

  346. 		case ReplayJoinsAlways:

  347. 			nsNotice(rb, client.t("You will see JOINs and PARTs in /HISTORY output and in autoreplay"))

  348. 		case ReplayJoinsNever:

  349. 			nsNotice(rb, client.t("You will not see JOINs and PARTs in /HISTORY output or in autoreplay"))

  350. 		}

  351. 	case "bouncer":

  352. 		if !config.Accounts.Bouncer.Enabled {

  353. 			nsNotice(rb, client.t("This feature has been disabled by the server administrators"))

  354. 		} else {

  355. 			switch settings.AllowBouncer {

  356. 			case BouncerAllowedServerDefault:

  357. 				if config.Accounts.Bouncer.AllowedByDefault {

  358. 					nsNotice(rb, client.t("Bouncer functionality is currently enabled for your account, but you can opt out"))

  359. 				} else {

  360. 					nsNotice(rb, client.t("Bouncer functionality is currently disabled for your account, but you can opt in"))

  361. 				}

  362. 			case BouncerDisallowedByUser:

  363. 				nsNotice(rb, client.t("Bouncer functionality is currently disabled for your account"))

  364. 			case BouncerAllowedByUser:

  365. 				nsNotice(rb, client.t("Bouncer functionality is currently enabled for your account"))

  366. 			}

  367. 		}

  368. 	case "always-on":

  369. 		stored := settings.AlwaysOn

  370. 		actual := client.AlwaysOn()

  371. 		nsNotice(rb, fmt.Sprintf(client.t("Your stored always-on setting is: %s"), persistentStatusToString(stored)))

  372. 		if actual {

  373. 			nsNotice(rb, client.t("Given current server settings, your client is always-on"))

  374. 		} else {

  375. 			nsNotice(rb, client.t("Given current server settings, your client is not always-on"))

  376. 		}

  377. 	case "autoreplay-missed":

  378. 		stored := settings.AutoreplayMissed

  379. 		if stored {

  380. 			if client.AlwaysOn() {

  381. 				nsNotice(rb, client.t("Autoreplay of missed messages is enabled"))

  382. 			} else {

  383. 				nsNotice(rb, client.t("You have enabled autoreplay of missed messages, but you can't receive them because your client isn't set to always-on"))

  384. 			}

  385. 		} else {

  386. 			nsNotice(rb, client.t("Your account is not configured to receive autoreplayed missed messages"))

  387. 		}

  388. 	case "dm-history":

  389. 		effectiveValue := historyEnabled(config.History.Persistent.DirectMessages, settings.DMHistory)

  390. 		csNotice(rb, fmt.Sprintf(client.t("Your stored direct message history setting is: %s"), historyStatusToString(settings.DMHistory)))

  391. 		csNotice(rb, fmt.Sprintf(client.t("Given current server settings, your direct message history setting is: %s"), historyStatusToString(effectiveValue)))

  392. 

  393. 	default:

  394. 		nsNotice(rb, client.t("No such setting"))

  395. 	}

  396. }

  397. 

  398. func nsSetHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  399. 	var account string

  400. 	if command == "saset" {

  401. 		account = params[0]

  402. 		params = params[1:]

  403. 	} else {

  404. 		account = client.Account()

  405. 	}

  406. 

  407. 	var munger settingsMunger

  408. 	var finalSettings AccountSettings

  409. 	var err error

  410. 	switch strings.ToLower(params[0]) {

  411. 	case "pass":

  412. 		nsNotice(rb, client.t("To change a password, use the PASSWD command. For details, /msg NickServ HELP PASSWD"))

  413. 		return

  414. 	case "enforce":

  415. 		var method NickEnforcementMethod

  416. 		method, err = nickReservationFromString(params[1])

  417. 		if err != nil {

  418. 			err = errInvalidParams

  419. 			break

  420. 		}

  421. 		// updating enforcement settings is special-cased, because it requires

  422. 		// an update to server.accounts.accountToMethod

  423. 		finalSettings, err = server.accounts.SetEnforcementStatus(account, method)

  424. 		if err == nil {

  425. 			finalSettings.NickEnforcement = method // success

  426. 		}

  427. 	case "autoreplay-lines":

  428. 		var newValue *int

  429. 		if strings.ToLower(params[1]) != "default" {

  430. 			val, err_ := strconv.Atoi(params[1])

  431. 			if err_ != nil || val < 0 {

  432. 				err = errInvalidParams

  433. 				break

  434. 			}

  435. 			newValue = new(int)

  436. 			*newValue = val

  437. 		}

  438. 		munger = func(in AccountSettings) (out AccountSettings, err error) {

  439. 			out = in

  440. 			out.AutoreplayLines = newValue

  441. 			return

  442. 		}

  443. 	case "bouncer":

  444. 		var newValue BouncerAllowedSetting

  445. 		if strings.ToLower(params[1]) == "default" {

  446. 			newValue = BouncerAllowedServerDefault

  447. 		} else {

  448. 			var enabled bool

  449. 			enabled, err = utils.StringToBool(params[1])

  450. 			if enabled {

  451. 				newValue = BouncerAllowedByUser

  452. 			} else {

  453. 				newValue = BouncerDisallowedByUser

  454. 			}

  455. 		}

  456. 		if err == nil {

  457. 			munger = func(in AccountSettings) (out AccountSettings, err error) {

  458. 				out = in

  459. 				out.AllowBouncer = newValue

  460. 				return

  461. 			}

  462. 		}

  463. 	case "replay-joins":

  464. 		var newValue ReplayJoinsSetting

  465. 		newValue, err = replayJoinsSettingFromString(params[1])

  466. 		if err == nil {

  467. 			munger = func(in AccountSettings) (out AccountSettings, err error) {

  468. 				out = in

  469. 				out.ReplayJoins = newValue

  470. 				return

  471. 			}

  472. 		}

  473. 	case "always-on":

  474. 		var newValue PersistentStatus

  475. 		newValue, err = persistentStatusFromString(params[1])

  476. 		// "opt-in" and "opt-out" don't make sense as user preferences

  477. 		if err == nil && newValue != PersistentOptIn && newValue != PersistentOptOut {

  478. 			munger = func(in AccountSettings) (out AccountSettings, err error) {

  479. 				out = in

  480. 				out.AlwaysOn = newValue

  481. 				return

  482. 			}

  483. 		}

  484. 	case "autoreplay-missed":

  485. 		var newValue bool

  486. 		newValue, err = utils.StringToBool(params[1])

  487. 		if err == nil {

  488. 			munger = func(in AccountSettings) (out AccountSettings, err error) {

  489. 				out = in

  490. 				out.AutoreplayMissed = newValue

  491. 				return

  492. 			}

  493. 		}

  494. 	case "dm-history":

  495. 		var newValue HistoryStatus

  496. 		newValue, err = historyStatusFromString(params[1])

  497. 		if err == nil {

  498. 			munger = func(in AccountSettings) (out AccountSettings, err error) {

  499. 				out = in

  500. 				out.DMHistory = newValue

  501. 				return

  502. 			}

  503. 		}

  504. 	default:

  505. 		err = errInvalidParams

  506. 	}

  507. 

  508. 	if munger != nil {

  509. 		finalSettings, err = server.accounts.ModifyAccountSettings(account, munger)

  510. 	}

  511. 

  512. 	switch err {

  513. 	case nil:

  514. 		nsNotice(rb, client.t("Successfully changed your account settings"))

  515. 		displaySetting(params[0], finalSettings, client, rb)

  516. 	case errInvalidParams, errAccountDoesNotExist, errFeatureDisabled, errAccountUnverified, errAccountUpdateFailed:

  517. 		nsNotice(rb, client.t(err.Error()))

  518. 	default:

  519. 		// unknown error

  520. 		nsNotice(rb, client.t("An error occurred"))

  521. 	}

  522. }

  523. 

  524. func nsDropHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  525. 	sadrop := command == "sadrop"

  526. 	var nick string

  527. 	if len(params) > 0 {

  528. 		nick = params[0]

  529. 	} else {

  530. 		nick = client.NickCasefolded()

  531. 	}

  532. 

  533. 	err := server.accounts.SetNickReserved(client, nick, sadrop, false)

  534. 	if err == nil {

  535. 		nsNotice(rb, fmt.Sprintf(client.t("Successfully ungrouped nick %s with your account"), nick))

  536. 	} else if err == errAccountNotLoggedIn {

  537. 		nsNotice(rb, client.t("You're not logged into an account"))

  538. 	} else if err == errAccountCantDropPrimaryNick {

  539. 		nsNotice(rb, client.t("You can't ungroup your primary nickname (try unregistering your account instead)"))

  540. 	} else {

  541. 		nsNotice(rb, client.t("Could not ungroup nick"))

  542. 	}

  543. }

  544. 

  545. func nsGhostHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  546. 	nick := params[0]

  547. 

  548. 	ghost := server.clients.Get(nick)

  549. 	if ghost == nil {

  550. 		nsNotice(rb, client.t("No such nick"))

  551. 		return

  552. 	} else if ghost == client {

  553. 		nsNotice(rb, client.t("You can't GHOST yourself (try /QUIT instead)"))

  554. 		return

  555. 	} else if ghost.AlwaysOn() {

  556. 		nsNotice(rb, client.t("You can't GHOST an always-on client"))

  557. 		return

  558. 	}

  559. 

  560. 	authorized := false

  561. 	account := client.Account()

  562. 	if account != "" {

  563. 		// the user must either own the nick, or the target client

  564. 		authorized = (server.accounts.NickToAccount(nick) == account) || (ghost.Account() == account)

  565. 	}

  566. 	if !authorized {

  567. 		nsNotice(rb, client.t("You don't own that nick"))

  568. 		return

  569. 	}

  570. 

  571. 	ghost.Quit(fmt.Sprintf(ghost.t("GHOSTed by %s"), client.Nick()), nil)

  572. 	ghost.destroy(nil)

  573. }

  574. 

  575. func nsGroupHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  576. 	nick := client.Nick()

  577. 	err := server.accounts.SetNickReserved(client, nick, false, true)

  578. 	if err == nil {

  579. 		nsNotice(rb, fmt.Sprintf(client.t("Successfully grouped nick %s with your account"), nick))

  580. 	} else if err == errAccountTooManyNicks {

  581. 		nsNotice(rb, client.t("You have too many nicks reserved already (you can remove some with /NS DROP)"))

  582. 	} else if err == errNicknameReserved {

  583. 		nsNotice(rb, client.t("That nickname is already reserved by someone else"))

  584. 	} else {

  585. 		nsNotice(rb, client.t("Error reserving nickname"))

  586. 	}

  587. }

  588. 

  589. func nsLoginThrottleCheck(client *Client, rb *ResponseBuffer) (success bool) {

  590. 	throttled, remainingTime := client.loginThrottle.Touch()

  591. 	if throttled {

  592. 		nsNotice(rb, fmt.Sprintf(client.t("Please wait at least %v and try again"), remainingTime))

  593. 		return false

  594. 	}

  595. 	return true

  596. }

  597. 

  598. func nsIdentifyHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  599. 	if client.LoggedIntoAccount() {

  600. 		nsNotice(rb, client.t("You're already logged into an account"))

  601. 		return

  602. 	}

  603. 

  604. 	loginSuccessful := false

  605. 

  606. 	var username, passphrase string

  607. 	if len(params) == 1 {

  608. 		if client.certfp != "" {

  609. 			username = params[0]

  610. 		} else {

  611. 			// XXX undocumented compatibility mode with other nickservs, allowing

  612. 			// /msg NickServ identify passphrase

  613. 			username = client.NickCasefolded()

  614. 			passphrase = params[0]

  615. 		}

  616. 	} else {

  617. 		username = params[0]

  618. 		passphrase = params[1]

  619. 	}

  620. 

  621. 	// try passphrase

  622. 	if passphrase != "" {

  623. 		if !nsLoginThrottleCheck(client, rb) {

  624. 			return

  625. 		}

  626. 		err := server.accounts.AuthenticateByPassphrase(client, username, passphrase)

  627. 		loginSuccessful = (err == nil)

  628. 	}

  629. 

  630. 	// try certfp

  631. 	if !loginSuccessful && client.certfp != "" {

  632. 		err := server.accounts.AuthenticateByCertFP(client, "")

  633. 		loginSuccessful = (err == nil)

  634. 	}

  635. 

  636. 	if loginSuccessful {

  637. 		sendSuccessfulAccountAuth(client, rb, true, true)

  638. 	} else {

  639. 		nsNotice(rb, client.t("Could not login with your TLS certificate or supplied username/password"))

  640. 	}

  641. }

  642. 

  643. func nsInfoHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  644. 	if !server.Config().Accounts.AuthenticationEnabled && !client.HasRoleCapabs("accreg") {

  645. 		nsNotice(rb, client.t("This command has been disabled by the server administrators"))

  646. 		return

  647. 	}

  648. 

  649. 	var accountName string

  650. 	if len(params) > 0 {

  651. 		nick := params[0]

  652. 		if server.AccountConfig().NickReservation.Enabled {

  653. 			accountName = server.accounts.NickToAccount(nick)

  654. 			if accountName == "" {

  655. 				nsNotice(rb, client.t("That nickname is not registered"))

  656. 				return

  657. 			}

  658. 		} else {

  659. 			accountName = nick

  660. 		}

  661. 	} else {

  662. 		accountName = client.Account()

  663. 		if accountName == "" {

  664. 			nsNotice(rb, client.t("You're not logged into an account"))

  665. 			return

  666. 		}

  667. 	}

  668. 

  669. 	account, err := server.accounts.LoadAccount(accountName)

  670. 	if err != nil || !account.Verified {

  671. 		nsNotice(rb, client.t("Account does not exist"))

  672. 		return

  673. 	}

  674. 

  675. 	nsNotice(rb, fmt.Sprintf(client.t("Account: %s"), account.Name))

  676. 	registeredAt := account.RegisteredAt.Format(time.RFC1123)

  677. 	nsNotice(rb, fmt.Sprintf(client.t("Registered at: %s"), registeredAt))

  678. 	// TODO nicer formatting for this

  679. 	for _, nick := range account.AdditionalNicks {

  680. 		nsNotice(rb, fmt.Sprintf(client.t("Additional grouped nick: %s"), nick))

  681. 	}

  682. 	for _, channel := range server.accounts.ChannelsForAccount(accountName) {

  683. 		nsNotice(rb, fmt.Sprintf(client.t("Registered channel: %s"), channel))

  684. 	}

  685. }

  686. 

  687. func nsRegisterHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  688. 	details := client.Details()

  689. 	account := details.nick

  690. 	passphrase := params[0]

  691. 	var email string

  692. 	if 1 < len(params) {

  693. 		email = params[1]

  694. 	}

  695. 

  696. 	certfp := client.certfp

  697. 	if passphrase == "*" {

  698. 		if certfp == "" {

  699. 			nsNotice(rb, client.t("You must be connected with TLS and a client certificate to do this"))

  700. 			return

  701. 		} else {

  702. 			passphrase = ""

  703. 		}

  704. 	}

  705. 

  706. 	if details.account != "" {

  707. 		nsNotice(rb, client.t("You're already logged into an account"))

  708. 		return

  709. 	}

  710. 

  711. 	if !nsLoginThrottleCheck(client, rb) {

  712. 		return

  713. 	}

  714. 

  715. 	config := server.AccountConfig()

  716. 	var callbackNamespace, callbackValue string

  717. 	noneCallbackAllowed := false

  718. 	for _, callback := range config.Registration.EnabledCallbacks {

  719. 		if callback == "*" {

  720. 			noneCallbackAllowed = true

  721. 		}

  722. 	}

  723. 	// XXX if ACC REGISTER allows registration with the `none` callback, then ignore

  724. 	// any callback that was passed here (to avoid confusion in the case where the ircd

  725. 	// has no mail server configured). otherwise, register using the provided callback:

  726. 	if noneCallbackAllowed {

  727. 		callbackNamespace = "*"

  728. 	} else {

  729. 		callbackNamespace, callbackValue = parseCallback(email, config)

  730. 		if callbackNamespace == "" || callbackValue == "" {

  731. 			nsNotice(rb, client.t("Registration requires a valid e-mail address"))

  732. 			return

  733. 		}

  734. 	}

  735. 

  736. 	err := server.accounts.Register(client, account, callbackNamespace, callbackValue, passphrase, client.certfp)

  737. 	if err == nil {

  738. 		if callbackNamespace == "*" {

  739. 			err = server.accounts.Verify(client, account, "")

  740. 			if err == nil {

  741. 				sendSuccessfulRegResponse(client, rb, true)

  742. 			}

  743. 		} else {

  744. 			messageTemplate := client.t("Account created, pending verification; verification code has been sent to %s")

  745. 			message := fmt.Sprintf(messageTemplate, fmt.Sprintf("%s:%s", callbackNamespace, callbackValue))

  746. 			nsNotice(rb, message)

  747. 		}

  748. 	}

  749. 

  750. 	// details could not be stored and relevant numerics have been dispatched, abort

  751. 	message, _ := registrationErrorToMessageAndCode(err)

  752. 	if err != nil {

  753. 		nsNotice(rb, client.t(message))

  754. 		return

  755. 	}

  756. }

  757. 

  758. func nsSaregisterHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  759. 	var account, passphrase string

  760. 	account = params[0]

  761. 	if 1 < len(params) && params[1] != "*" {

  762. 		passphrase = params[1]

  763. 	}

  764. 	err := server.accounts.SARegister(account, passphrase)

  765. 

  766. 	if err != nil {

  767. 		var errMsg string

  768. 		if err == errAccountAlreadyRegistered || err == errAccountAlreadyVerified {

  769. 			errMsg = client.t("Account already exists")

  770. 		} else if err == errAccountBadPassphrase {

  771. 			errMsg = client.t("Passphrase contains forbidden characters or is otherwise invalid")

  772. 		} else {

  773. 			server.logger.Error("services", "unknown error from saregister", err.Error())

  774. 			errMsg = client.t("Could not register")

  775. 		}

  776. 		nsNotice(rb, errMsg)

  777. 	} else {

  778. 		nsNotice(rb, fmt.Sprintf(client.t("Successfully registered account %s"), account))

  779. 		server.snomasks.Send(sno.LocalAccounts, fmt.Sprintf(ircfmt.Unescape("Operator $c[grey][$r%s$c[grey]] registered account $c[grey][$r%s$c[grey]] with SAREGISTER"), client.Oper().Name, account))

  780. 	}

  781. }

  782. 

  783. func nsUnregisterHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  784. 	username := params[0]

  785. 	var verificationCode string

  786. 	if len(params) > 1 {

  787. 		verificationCode = params[1]

  788. 	}

  789. 

  790. 	if username == "" {

  791. 		nsNotice(rb, client.t("You must specify an account"))

  792. 		return

  793. 	}

  794. 

  795. 	account, err := server.accounts.LoadAccount(username)

  796. 	if err == errAccountDoesNotExist {

  797. 		nsNotice(rb, client.t("Invalid account name"))

  798. 		return

  799. 	} else if err != nil {

  800. 		nsNotice(rb, client.t("Internal error"))

  801. 		return

  802. 	}

  803. 

  804. 	cfname, _ := CasefoldName(username)

  805. 	if !(cfname == client.Account() || client.HasRoleCapabs("accreg")) {

  806. 		nsNotice(rb, client.t("Insufficient oper privs"))

  807. 		return

  808. 	}

  809. 

  810. 	expectedCode := unregisterConfirmationCode(account.Name, account.RegisteredAt)

  811. 	if expectedCode != verificationCode {

  812. 		nsNotice(rb, ircfmt.Unescape(client.t("$bWarning: unregistering this account will remove its stored privileges.$b")))

  813. 		nsNotice(rb, fmt.Sprintf(client.t("To confirm account unregistration, type: /NS UNREGISTER %[1]s %[2]s"), cfname, expectedCode))

  814. 		return

  815. 	}

  816. 

  817. 	err = server.accounts.Unregister(cfname)

  818. 	if err == errAccountDoesNotExist {

  819. 		nsNotice(rb, client.t(err.Error()))

  820. 	} else if err != nil {

  821. 		nsNotice(rb, client.t("Error while unregistering account"))

  822. 	} else {

  823. 		nsNotice(rb, fmt.Sprintf(client.t("Successfully unregistered account %s"), cfname))

  824. 		server.logger.Info("accounts", "client", client.Nick(), "unregistered account", cfname)

  825. 	}

  826. 

  827. 	client.server.snomasks.Send(sno.LocalAccounts, fmt.Sprintf(ircfmt.Unescape("Client $c[grey][$r%s$c[grey]] unregistered account $c[grey][$r%s$c[grey]]"), client.NickMaskString(), account.Name))

  828. }

  829. 

  830. func nsVerifyHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  831. 	username, code := params[0], params[1]

  832. 	err := server.accounts.Verify(client, username, code)

  833. 

  834. 	var errorMessage string

  835. 	if err == errAccountVerificationInvalidCode || err == errAccountAlreadyVerified {

  836. 		errorMessage = err.Error()

  837. 	} else if err != nil {

  838. 		errorMessage = errAccountVerificationFailed.Error()

  839. 	}

  840. 

  841. 	if errorMessage != "" {

  842. 		nsNotice(rb, client.t(errorMessage))

  843. 		return

  844. 	}

  845. 

  846. 	sendSuccessfulRegResponse(client, rb, true)

  847. }

  848. 

  849. func nsPasswdHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  850. 	var target string

  851. 	var newPassword string

  852. 	var errorMessage string

  853. 

  854. 	hasPrivs := client.HasRoleCapabs("accreg")

  855. 

  856. 	switch len(params) {

  857. 	case 2:

  858. 		if !hasPrivs {

  859. 			errorMessage = `Insufficient privileges`

  860. 		} else {

  861. 			target, newPassword = params[0], params[1]

  862. 			if newPassword == "*" {

  863. 				newPassword = ""

  864. 			}

  865. 		}

  866. 	case 3:

  867. 		target = client.Account()

  868. 		if target == "" {

  869. 			errorMessage = `You're not logged into an account`

  870. 		} else if params[1] != params[2] {

  871. 			errorMessage = `Passwords do not match`

  872. 		} else {

  873. 			if !nsLoginThrottleCheck(client, rb) {

  874. 				return

  875. 			}

  876. 			accountData, err := server.accounts.LoadAccount(target)

  877. 			if err != nil {

  878. 				errorMessage = `You're not logged into an account`

  879. 			} else {

  880. 				hash := accountData.Credentials.PassphraseHash

  881. 				if hash != nil && passwd.CompareHashAndPassword(hash, []byte(params[0])) != nil {

  882. 					errorMessage = `Password incorrect`

  883. 				} else {

  884. 					newPassword = params[1]

  885. 					if newPassword == "*" {

  886. 						newPassword = ""

  887. 					}

  888. 				}

  889. 			}

  890. 		}

  891. 	default:

  892. 		errorMessage = `Invalid parameters`

  893. 	}

  894. 

  895. 	if errorMessage != "" {

  896. 		nsNotice(rb, client.t(errorMessage))

  897. 		return

  898. 	}

  899. 

  900. 	err := server.accounts.setPassword(target, newPassword, hasPrivs)

  901. 	switch err {

  902. 	case nil:

  903. 		nsNotice(rb, client.t("Password changed"))

  904. 	case errEmptyCredentials:

  905. 		nsNotice(rb, client.t("You can't delete your password unless you add a certificate fingerprint"))

  906. 	case errCredsExternallyManaged:

  907. 		nsNotice(rb, client.t("Your account credentials are managed externally and cannot be changed here"))

  908. 	case errCASFailed:

  909. 		nsNotice(rb, client.t("Try again later"))

  910. 	default:

  911. 		server.logger.Error("internal", "could not upgrade user password:", err.Error())

  912. 		nsNotice(rb, client.t("Password could not be changed due to server error"))

  913. 	}

  914. }

  915. 

  916. func nsEnforceHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  917. 	newParams := []string{"enforce"}

  918. 	if len(params) == 0 {

  919. 		nsGetHandler(server, client, "get", newParams, rb)

  920. 	} else {

  921. 		newParams = append(newParams, params[0])

  922. 		nsSetHandler(server, client, "set", newParams, rb)

  923. 	}

  924. }

  925. 

  926. func nsSessionsHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  927. 	target := client

  928. 

  929. 	if 0 < len(params) {

  930. 		target = server.clients.Get(params[0])

  931. 		if target == nil {

  932. 			nsNotice(rb, client.t("No such nick"))

  933. 			return

  934. 		}

  935. 		// same permissions check as RPL_WHOISACTUALLY for now:

  936. 		if target != client && !client.HasMode(modes.Operator) {

  937. 			nsNotice(rb, client.t("Command restricted"))

  938. 			return

  939. 		}

  940. 	}

  941. 

  942. 	sessionData, currentIndex := target.AllSessionData(rb.session)

  943. 	nsNotice(rb, fmt.Sprintf(client.t("Nickname %[1]s has %[2]d attached session(s)"), target.Nick(), len(sessionData)))

  944. 	for i, session := range sessionData {

  945. 		if currentIndex == i {

  946. 			nsNotice(rb, fmt.Sprintf(client.t("Session %d (currently attached session):"), i+1))

  947. 		} else {

  948. 			nsNotice(rb, fmt.Sprintf(client.t("Session %d:"), i+1))

  949. 		}

  950. 		nsNotice(rb, fmt.Sprintf(client.t("IP address:  %s"), session.ip.String()))

  951. 		nsNotice(rb, fmt.Sprintf(client.t("Hostname:    %s"), session.hostname))

  952. 		nsNotice(rb, fmt.Sprintf(client.t("Created at:  %s"), session.ctime.Format(time.RFC1123)))

  953. 		nsNotice(rb, fmt.Sprintf(client.t("Last active: %s"), session.atime.Format(time.RFC1123)))

  954. 	}

  955. }

  956. 

  957. func nsCertHandler(server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {

  958. 	verb := strings.ToLower(params[0])

  959. 	params = params[1:]

  960. 	var target, certfp string

  961. 

  962. 	switch verb {

  963. 	case "list":

  964. 		if 1 <= len(params) {

  965. 			target = params[0]

  966. 		}

  967. 	case "add", "del":

  968. 		if 2 <= len(params) {

  969. 			target, certfp = params[0], params[1]

  970. 		} else if len(params) == 1 {

  971. 			certfp = params[0]

  972. 		} else {

  973. 			nsNotice(rb, client.t("Invalid parameters"))

  974. 			return

  975. 		}

  976. 	default:

  977. 		nsNotice(rb, client.t("Invalid parameters"))

  978. 		return

  979. 	}

  980. 

  981. 	hasPrivs := client.HasRoleCapabs("accreg")

  982. 	if target != "" && !hasPrivs {

  983. 		nsNotice(rb, client.t("Insufficient privileges"))

  984. 		return

  985. 	} else if target == "" {

  986. 		target = client.Account()

  987. 		if target == "" {

  988. 			nsNotice(rb, client.t("You're not logged into an account"))

  989. 			return

  990. 		}

  991. 	}

  992. 

  993. 	var err error

  994. 	switch verb {

  995. 	case "list":

  996. 		accountData, err := server.accounts.LoadAccount(target)

  997. 		if err == errAccountDoesNotExist {

  998. 			nsNotice(rb, client.t("Account does not exist"))

  999. 			return

  1000. 		} else if err != nil {

  1001. 			nsNotice(rb, client.t("An error occurred"))

  1002. 			return

  1003. 		}

  1004. 		certfps := accountData.Credentials.Certfps

  1005. 		nsNotice(rb, fmt.Sprintf(client.t("There are %[1]d certificate fingerprint(s) authorized for account %[2]s."), len(certfps), accountData.Name))

  1006. 		for i, certfp := range certfps {

  1007. 			nsNotice(rb, fmt.Sprintf("%d: %s", i+1, certfp))

  1008. 		}

  1009. 		return

  1010. 	case "add":

  1011. 		err = server.accounts.addRemoveCertfp(target, certfp, true, hasPrivs)

  1012. 	case "del":

  1013. 		err = server.accounts.addRemoveCertfp(target, certfp, false, hasPrivs)

  1014. 	}

  1015. 

  1016. 	switch err {

  1017. 	case nil:

  1018. 		if verb == "add" {

  1019. 			nsNotice(rb, client.t("Certificate fingerprint successfully added"))

  1020. 		} else {

  1021. 			nsNotice(rb, client.t("Certificate fingerprint successfully removed"))

  1022. 		}

  1023. 	case errNoop:

  1024. 		if verb == "add" {

  1025. 			nsNotice(rb, client.t("That certificate fingerprint was already authorized"))

  1026. 		} else {

  1027. 			nsNotice(rb, client.t("Certificate fingerprint not found"))

  1028. 		}

  1029. 	case errAccountDoesNotExist:

  1030. 		nsNotice(rb, client.t("Account does not exist"))

  1031. 	case errLimitExceeded:

  1032. 		nsNotice(rb, client.t("You already have too many certificate fingerprints"))

  1033. 	case utils.ErrInvalidCertfp:

  1034. 		nsNotice(rb, client.t("Invalid certificate fingerprint"))

  1035. 	case errCertfpAlreadyExists:

  1036. 		nsNotice(rb, client.t("That certificate fingerprint is already associated with another account"))

  1037. 	case errEmptyCredentials:

  1038. 		nsNotice(rb, client.t("You can't remove all your certificate fingerprints unless you add a password"))

  1039. 	case errCredsExternallyManaged:

  1040. 		nsNotice(rb, client.t("Your account credentials are managed externally and cannot be changed here"))

  1041. 	case errCASFailed:

  1042. 		nsNotice(rb, client.t("Try again later"))

  1043. 	default:

  1044. 		server.logger.Error("internal", "could not modify certificates:", err.Error())

  1045. 		nsNotice(rb, client.t("An error occurred"))

  1046. 	}

  1047. }