mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 69 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1097 Commits
21 Branches
Tree: ad73d68807
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ad73d68807'
${ noResults }
oragono/irc/accounts.go

accounts.go 15KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526 
  1. // Copyright (c) 2016-2017 Daniel Oaks <daniel@danieloaks.net>

  2. // released under the MIT license

  3. 

  4. package irc

  5. 

  6. import (

  7. 	"encoding/json"

  8. 	"fmt"

  9. 	"strconv"

  10. 	"strings"

  11. 	"sync"

  12. 	"time"

  13. 

  14. 	"github.com/goshuirc/irc-go/ircfmt"

  15. 	"github.com/oragono/oragono/irc/caps"

  16. 	"github.com/oragono/oragono/irc/passwd"

  17. 	"github.com/oragono/oragono/irc/sno"

  18. 	"github.com/tidwall/buntdb"

  19. )

  20. 

  21. const (

  22. 	keyAccountExists      = "account.exists %s"

  23. 	keyAccountVerified    = "account.verified %s"

  24. 	keyAccountName        = "account.name %s" // stores the 'preferred name' of the account, not casemapped

  25. 	keyAccountRegTime     = "account.registered.time %s"

  26. 	keyAccountCredentials = "account.credentials %s"

  27. 	keyCertToAccount      = "account.creds.certfp %s"

  28. )

  29. 

  30. // everything about accounts is persistent; therefore, the database is the authoritative

  31. // source of truth for all account information. anything on the heap is just a cache

  32. type AccountManager struct {

  33. 	sync.RWMutex                      // tier 2

  34. 	serialCacheUpdateMutex sync.Mutex // tier 3

  35. 

  36. 	server *Server

  37. 	// track clients logged in to accounts

  38. 	accountToClients map[string][]*Client

  39. 	nickToAccount    map[string]string

  40. }

  41. 

  42. func NewAccountManager(server *Server) *AccountManager {

  43. 	am := AccountManager{

  44. 		accountToClients: make(map[string][]*Client),

  45. 		nickToAccount:    make(map[string]string),

  46. 		server:           server,

  47. 	}

  48. 

  49. 	am.buildNickToAccountIndex()

  50. 	return &am

  51. }

  52. 

  53. func (am *AccountManager) buildNickToAccountIndex() {

  54. 	if am.server.AccountConfig().NickReservation == NickReservationDisabled {

  55. 		return

  56. 	}

  57. 

  58. 	result := make(map[string]string)

  59. 	existsPrefix := fmt.Sprintf(keyAccountExists, "")

  60. 

  61. 	am.serialCacheUpdateMutex.Lock()

  62. 	defer am.serialCacheUpdateMutex.Unlock()

  63. 

  64. 	err := am.server.store.View(func(tx *buntdb.Tx) error {

  65. 		err := tx.AscendGreaterOrEqual("", existsPrefix, func(key, value string) bool {

  66. 			if !strings.HasPrefix(key, existsPrefix) {

  67. 				return false

  68. 			}

  69. 			accountName := strings.TrimPrefix(key, existsPrefix)

  70. 			if _, err := tx.Get(fmt.Sprintf(keyAccountVerified, accountName)); err == nil {

  71. 				result[accountName] = accountName

  72. 			}

  73. 			return true

  74. 		})

  75. 		return err

  76. 	})

  77. 

  78. 	if err != nil {

  79. 		am.server.logger.Error("internal", fmt.Sprintf("couldn't read reserved nicks: %v", err))

  80. 	} else {

  81. 		am.Lock()

  82. 		am.nickToAccount = result

  83. 		am.Unlock()

  84. 	}

  85. 

  86. 	return

  87. }

  88. 

  89. func (am *AccountManager) NickToAccount(cfnick string) string {

  90. 	am.RLock()

  91. 	defer am.RUnlock()

  92. 	return am.nickToAccount[cfnick]

  93. }

  94. 

  95. func (am *AccountManager) Register(client *Client, account string, callbackNamespace string, callbackValue string, passphrase string, certfp string) error {

  96. 	casefoldedAccount, err := CasefoldName(account)

  97. 	if err != nil || account == "" || account == "*" {

  98. 		return errAccountCreation

  99. 	}

  100. 

  101. 	accountKey := fmt.Sprintf(keyAccountExists, casefoldedAccount)

  102. 	accountNameKey := fmt.Sprintf(keyAccountName, casefoldedAccount)

  103. 	registeredTimeKey := fmt.Sprintf(keyAccountRegTime, casefoldedAccount)

  104. 	credentialsKey := fmt.Sprintf(keyAccountCredentials, casefoldedAccount)

  105. 	certFPKey := fmt.Sprintf(keyCertToAccount, certfp)

  106. 

  107. 	var creds AccountCredentials

  108. 	// always set passphrase salt

  109. 	creds.PassphraseSalt, err = passwd.NewSalt()

  110. 	if err != nil {

  111. 		return errAccountCreation

  112. 	}

  113. 	// it's fine if this is empty, that just means no certificate is authorized

  114. 	creds.Certificate = certfp

  115. 	if passphrase != "" {

  116. 		creds.PassphraseHash, err = am.server.passwords.GenerateFromPassword(creds.PassphraseSalt, passphrase)

  117. 		if err != nil {

  118. 			am.server.logger.Error("internal", fmt.Sprintf("could not hash password: %v", err))

  119. 			return errAccountCreation

  120. 		}

  121. 	}

  122. 

  123. 	credText, err := json.Marshal(creds)

  124. 	if err != nil {

  125. 		am.server.logger.Error("internal", fmt.Sprintf("could not marshal credentials: %v", err))

  126. 		return errAccountCreation

  127. 	}

  128. 	credStr := string(credText)

  129. 

  130. 	registeredTimeStr := strconv.FormatInt(time.Now().Unix(), 10)

  131. 

  132. 	var setOptions *buntdb.SetOptions

  133. 	ttl := am.server.AccountConfig().Registration.VerifyTimeout

  134. 	if ttl != 0 {

  135. 		setOptions = &buntdb.SetOptions{Expires: true, TTL: ttl}

  136. 	}

  137. 

  138. 	err = am.server.store.Update(func(tx *buntdb.Tx) error {

  139. 		_, err := am.loadRawAccount(tx, casefoldedAccount)

  140. 		if err != errAccountDoesNotExist {

  141. 			return errAccountAlreadyRegistered

  142. 		}

  143. 

  144. 		if certfp != "" {

  145. 			// make sure certfp doesn't already exist because that'd be silly

  146. 			_, err := tx.Get(certFPKey)

  147. 			if err != buntdb.ErrNotFound {

  148. 				return errCertfpAlreadyExists

  149. 			}

  150. 		}

  151. 

  152. 		tx.Set(accountKey, "1", setOptions)

  153. 		tx.Set(accountNameKey, account, setOptions)

  154. 		tx.Set(registeredTimeKey, registeredTimeStr, setOptions)

  155. 		tx.Set(credentialsKey, credStr, setOptions)

  156. 		if certfp != "" {

  157. 			tx.Set(certFPKey, casefoldedAccount, setOptions)

  158. 		}

  159. 		return nil

  160. 	})

  161. 

  162. 	if err != nil {

  163. 		return err

  164. 	}

  165. 

  166. 	return nil

  167. }

  168. 

  169. func (am *AccountManager) Verify(client *Client, account string, code string) error {

  170. 	casefoldedAccount, err := CasefoldName(account)

  171. 	if err != nil || account == "" || account == "*" {

  172. 		return errAccountVerificationFailed

  173. 	}

  174. 

  175. 	verifiedKey := fmt.Sprintf(keyAccountVerified, casefoldedAccount)

  176. 	accountKey := fmt.Sprintf(keyAccountExists, casefoldedAccount)

  177. 	accountNameKey := fmt.Sprintf(keyAccountName, casefoldedAccount)

  178. 	registeredTimeKey := fmt.Sprintf(keyAccountRegTime, casefoldedAccount)

  179. 	credentialsKey := fmt.Sprintf(keyAccountCredentials, casefoldedAccount)

  180. 

  181. 	var raw rawClientAccount

  182. 

  183. 	func() {

  184. 		am.serialCacheUpdateMutex.Lock()

  185. 		defer am.serialCacheUpdateMutex.Unlock()

  186. 

  187. 		am.server.store.Update(func(tx *buntdb.Tx) error {

  188. 			raw, err = am.loadRawAccount(tx, casefoldedAccount)

  189. 			if err == errAccountDoesNotExist {

  190. 				return errAccountDoesNotExist

  191. 			} else if err != nil {

  192. 				return errAccountVerificationFailed

  193. 			} else if raw.Verified {

  194. 				return errAccountAlreadyVerified

  195. 			}

  196. 

  197. 			// TODO add code verification here

  198. 			// return errAccountVerificationFailed if it fails

  199. 

  200. 			// verify the account

  201. 			tx.Set(verifiedKey, "1", nil)

  202. 			// re-set all other keys, removing the TTL

  203. 			tx.Set(accountKey, "1", nil)

  204. 			tx.Set(accountNameKey, raw.Name, nil)

  205. 			tx.Set(registeredTimeKey, raw.RegisteredAt, nil)

  206. 			tx.Set(credentialsKey, raw.Credentials, nil)

  207. 

  208. 			var creds AccountCredentials

  209. 			// XXX we shouldn't do (de)serialization inside the txn,

  210. 			// but this is like 2 usec on my system

  211. 			json.Unmarshal([]byte(raw.Credentials), &creds)

  212. 			if creds.Certificate != "" {

  213. 				certFPKey := fmt.Sprintf(keyCertToAccount, creds.Certificate)

  214. 				tx.Set(certFPKey, casefoldedAccount, nil)

  215. 			}

  216. 

  217. 			return nil

  218. 		})

  219. 

  220. 		if err == nil {

  221. 			am.Lock()

  222. 			am.nickToAccount[casefoldedAccount] = casefoldedAccount

  223. 			am.Unlock()

  224. 		}

  225. 	}()

  226. 

  227. 	if err != nil {

  228. 		return err

  229. 	}

  230. 

  231. 	am.Login(client, raw.Name)

  232. 	return nil

  233. }

  234. 

  235. func (am *AccountManager) AuthenticateByPassphrase(client *Client, accountName string, passphrase string) error {

  236. 	casefoldedAccount, err := CasefoldName(accountName)

  237. 	if err != nil {

  238. 		return errAccountDoesNotExist

  239. 	}

  240. 

  241. 	account, err := am.LoadAccount(casefoldedAccount)

  242. 	if err != nil {

  243. 		return err

  244. 	}

  245. 

  246. 	if !account.Verified {

  247. 		return errAccountUnverified

  248. 	}

  249. 

  250. 	err = am.server.passwords.CompareHashAndPassword(

  251. 		account.Credentials.PassphraseHash, account.Credentials.PassphraseSalt, passphrase)

  252. 	if err != nil {

  253. 		return errAccountInvalidCredentials

  254. 	}

  255. 

  256. 	am.Login(client, account.Name)

  257. 	return nil

  258. }

  259. 

  260. func (am *AccountManager) LoadAccount(casefoldedAccount string) (result ClientAccount, err error) {

  261. 	var raw rawClientAccount

  262. 	am.server.store.View(func(tx *buntdb.Tx) error {

  263. 		raw, err = am.loadRawAccount(tx, casefoldedAccount)

  264. 		if err == buntdb.ErrNotFound {

  265. 			err = errAccountDoesNotExist

  266. 		}

  267. 		return nil

  268. 	})

  269. 	if err != nil {

  270. 		return

  271. 	}

  272. 

  273. 	result.Name = raw.Name

  274. 	regTimeInt, _ := strconv.ParseInt(raw.RegisteredAt, 10, 64)

  275. 	result.RegisteredAt = time.Unix(regTimeInt, 0)

  276. 	e := json.Unmarshal([]byte(raw.Credentials), &result.Credentials)

  277. 	if e != nil {

  278. 		am.server.logger.Error("internal", fmt.Sprintf("could not unmarshal credentials: %v", e))

  279. 		err = errAccountDoesNotExist

  280. 		return

  281. 	}

  282. 	result.Verified = raw.Verified

  283. 	return

  284. }

  285. 

  286. func (am *AccountManager) loadRawAccount(tx *buntdb.Tx, casefoldedAccount string) (result rawClientAccount, err error) {

  287. 	accountKey := fmt.Sprintf(keyAccountExists, casefoldedAccount)

  288. 	accountNameKey := fmt.Sprintf(keyAccountName, casefoldedAccount)

  289. 	registeredTimeKey := fmt.Sprintf(keyAccountRegTime, casefoldedAccount)

  290. 	credentialsKey := fmt.Sprintf(keyAccountCredentials, casefoldedAccount)

  291. 	verifiedKey := fmt.Sprintf(keyAccountVerified, casefoldedAccount)

  292. 

  293. 	_, e := tx.Get(accountKey)

  294. 	if e == buntdb.ErrNotFound {

  295. 		err = errAccountDoesNotExist

  296. 		return

  297. 	}

  298. 

  299. 	if result.Name, err = tx.Get(accountNameKey); err != nil {

  300. 		return

  301. 	}

  302. 	if result.RegisteredAt, err = tx.Get(registeredTimeKey); err != nil {

  303. 		return

  304. 	}

  305. 	if result.Credentials, err = tx.Get(credentialsKey); err != nil {

  306. 		return

  307. 	}

  308. 	if _, e = tx.Get(verifiedKey); e == nil {

  309. 		result.Verified = true

  310. 	}

  311. 

  312. 	return

  313. }

  314. 

  315. func (am *AccountManager) Unregister(account string) error {

  316. 	casefoldedAccount, err := CasefoldName(account)

  317. 	if err != nil {

  318. 		return errAccountDoesNotExist

  319. 	}

  320. 

  321. 	accountKey := fmt.Sprintf(keyAccountExists, casefoldedAccount)

  322. 	accountNameKey := fmt.Sprintf(keyAccountName, casefoldedAccount)

  323. 	registeredTimeKey := fmt.Sprintf(keyAccountRegTime, casefoldedAccount)

  324. 	credentialsKey := fmt.Sprintf(keyAccountCredentials, casefoldedAccount)

  325. 	verifiedKey := fmt.Sprintf(keyAccountVerified, casefoldedAccount)

  326. 

  327. 	var clients []*Client

  328. 

  329. 	func() {

  330. 		var credText string

  331. 

  332. 		am.serialCacheUpdateMutex.Lock()

  333. 		defer am.serialCacheUpdateMutex.Unlock()

  334. 

  335. 		am.server.store.Update(func(tx *buntdb.Tx) error {

  336. 			tx.Delete(accountKey)

  337. 			tx.Delete(accountNameKey)

  338. 			tx.Delete(verifiedKey)

  339. 			tx.Delete(registeredTimeKey)

  340. 			credText, err = tx.Get(credentialsKey)

  341. 			tx.Delete(credentialsKey)

  342. 			return nil

  343. 		})

  344. 

  345. 		if err == nil {

  346. 			var creds AccountCredentials

  347. 			if err = json.Unmarshal([]byte(credText), &creds); err == nil && creds.Certificate != "" {

  348. 				certFPKey := fmt.Sprintf(keyCertToAccount, creds.Certificate)

  349. 				am.server.store.Update(func(tx *buntdb.Tx) error {

  350. 					if account, err := tx.Get(certFPKey); err == nil && account == casefoldedAccount {

  351. 						tx.Delete(certFPKey)

  352. 					}

  353. 					return nil

  354. 				})

  355. 			}

  356. 		}

  357. 

  358. 		am.Lock()

  359. 		defer am.Unlock()

  360. 		clients = am.accountToClients[casefoldedAccount]

  361. 		delete(am.accountToClients, casefoldedAccount)

  362. 		// TODO when registration of multiple nicks is fully implemented,

  363. 		// save the nicks that were deleted from the store and delete them here:

  364. 		delete(am.nickToAccount, casefoldedAccount)

  365. 	}()

  366. 

  367. 	for _, client := range clients {

  368. 		client.LogoutOfAccount()

  369. 	}

  370. 

  371. 	return nil

  372. }

  373. 

  374. func (am *AccountManager) AuthenticateByCertFP(client *Client) error {

  375. 	if client.certfp == "" {

  376. 		return errAccountInvalidCredentials

  377. 	}

  378. 

  379. 	var account string

  380. 	var rawAccount rawClientAccount

  381. 	certFPKey := fmt.Sprintf(keyCertToAccount, client.certfp)

  382. 

  383. 	err := am.server.store.Update(func(tx *buntdb.Tx) error {

  384. 		var err error

  385. 		account, _ = tx.Get(certFPKey)

  386. 		if account == "" {

  387. 			return errAccountInvalidCredentials

  388. 		}

  389. 		rawAccount, err = am.loadRawAccount(tx, account)

  390. 		if err != nil || !rawAccount.Verified {

  391. 			return errAccountUnverified

  392. 		}

  393. 		return nil

  394. 	})

  395. 

  396. 	if err != nil {

  397. 		return err

  398. 	}

  399. 

  400. 	// ok, we found an account corresponding to their certificate

  401. 

  402. 	am.Login(client, rawAccount.Name)

  403. 	return nil

  404. }

  405. 

  406. func (am *AccountManager) Login(client *Client, account string) {

  407. 	client.LoginToAccount(account)

  408. 

  409. 	casefoldedAccount, _ := CasefoldName(account)

  410. 	am.Lock()

  411. 	defer am.Unlock()

  412. 	am.accountToClients[casefoldedAccount] = append(am.accountToClients[casefoldedAccount], client)

  413. }

  414. 

  415. func (am *AccountManager) Logout(client *Client) {

  416. 	casefoldedAccount := client.Account()

  417. 	if casefoldedAccount == "" || casefoldedAccount == "*" {

  418. 		return

  419. 	}

  420. 

  421. 	client.LogoutOfAccount()

  422. 

  423. 	am.Lock()

  424. 	defer am.Unlock()

  425. 

  426. 	if client.LoggedIntoAccount() {

  427. 		return

  428. 	}

  429. 

  430. 	clients := am.accountToClients[casefoldedAccount]

  431. 	if len(clients) <= 1 {

  432. 		delete(am.accountToClients, casefoldedAccount)

  433. 		return

  434. 	}

  435. 	remainingClients := make([]*Client, len(clients)-1)

  436. 	remainingPos := 0

  437. 	for currentPos := 0; currentPos < len(clients); currentPos++ {

  438. 		if clients[currentPos] != client {

  439. 			remainingClients[remainingPos] = clients[currentPos]

  440. 			remainingPos++

  441. 		}

  442. 	}

  443. 	am.accountToClients[casefoldedAccount] = remainingClients

  444. 	return

  445. }

  446. 

  447. var (

  448. 	// EnabledSaslMechanisms contains the SASL mechanisms that exist and that we support.

  449. 	// This can be moved to some other data structure/place if we need to load/unload mechs later.

  450. 	EnabledSaslMechanisms = map[string]func(*Server, *Client, string, []byte, *ResponseBuffer) bool{

  451. 		"PLAIN":    authPlainHandler,

  452. 		"EXTERNAL": authExternalHandler,

  453. 	}

  454. )

  455. 

  456. // AccountCredentials stores the various methods for verifying accounts.

  457. type AccountCredentials struct {

  458. 	PassphraseSalt []byte

  459. 	PassphraseHash []byte

  460. 	Certificate    string // fingerprint

  461. }

  462. 

  463. // ClientAccount represents a user account.

  464. type ClientAccount struct {

  465. 	// Name of the account.

  466. 	Name string

  467. 	// RegisteredAt represents the time that the account was registered.

  468. 	RegisteredAt time.Time

  469. 	Credentials  AccountCredentials

  470. 	Verified     bool

  471. }

  472. 

  473. // convenience for passing around raw serialized account data

  474. type rawClientAccount struct {

  475. 	Name         string

  476. 	RegisteredAt string

  477. 	Credentials  string

  478. 	Verified     bool

  479. }

  480. 

  481. // LoginToAccount logs the client into the given account.

  482. func (client *Client) LoginToAccount(account string) {

  483. 	casefoldedAccount, err := CasefoldName(account)

  484. 	if err != nil {

  485. 		return

  486. 	}

  487. 

  488. 	if client.Account() == casefoldedAccount {

  489. 		// already logged into this acct, no changing necessary

  490. 		return

  491. 	}

  492. 

  493. 	client.SetAccountName(casefoldedAccount)

  494. 	client.nickTimer.Touch()

  495. 

  496. 	client.server.snomasks.Send(sno.LocalAccounts, fmt.Sprintf(ircfmt.Unescape("Client $c[grey][$r%s$c[grey]] logged into account $c[grey][$r%s$c[grey]]"), client.nickMaskString, casefoldedAccount))

  497. 

  498. 	//TODO(dan): This should output the AccountNotify message instead of the sasl accepted function below.

  499. }

  500. 

  501. // LogoutOfAccount logs the client out of their current account.

  502. func (client *Client) LogoutOfAccount() {

  503. 	if client.Account() == "" {

  504. 		// already logged out

  505. 		return

  506. 	}

  507. 

  508. 	client.SetAccountName("")

  509. 	client.nickTimer.Touch()

  510. 

  511. 	// dispatch account-notify

  512. 	for friend := range client.Friends(caps.AccountNotify) {

  513. 		friend.Send(nil, client.nickMaskString, "ACCOUNT", "*")

  514. 	}

  515. }

  516. 

  517. // successfulSaslAuth means that a SASL auth attempt completed successfully, and is used to dispatch messages.

  518. func (client *Client) successfulSaslAuth(rb *ResponseBuffer) {

  519. 	rb.Add(nil, client.server.name, RPL_LOGGEDIN, client.nick, client.nickMaskString, client.AccountName(), fmt.Sprintf("You are now logged in as %s", client.AccountName()))

  520. 	rb.Add(nil, client.server.name, RPL_SASLSUCCESS, client.nick, client.t("SASL authentication successful"))

  521. 

  522. 	// dispatch account-notify

  523. 	for friend := range client.Friends(caps.AccountNotify) {

  524. 		friend.Send(nil, client.nickMaskString, "ACCOUNT", client.AccountName())

  525. 	}

  526. }