mirror
/
oragono
kopia lustrzana https://github.com/oragono/oragono
Obserwuj 1
Gwiazdka 0
Forkuj 0
Kod Problemy 0 Wydania 69 Wiki Aktywność
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1051 Commity
21 Gałęzie
Drzewo: b1a500f461
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'b1a500f461'
${ noResults }
oragono/irc/accountreg.go

accountreg.go 10KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297 
  1. // Copyright (c) 2016-2017 Daniel Oaks <daniel@danieloaks.net>

  2. // released under the MIT license

  3. 

  4. package irc

  5. 

  6. import (

  7. 	"encoding/json"

  8. 	"errors"

  9. 	"fmt"

  10. 	"log"

  11. 	"strconv"

  12. 	"strings"

  13. 	"time"

  14. 

  15. 	"github.com/goshuirc/irc-go/ircfmt"

  16. 	"github.com/goshuirc/irc-go/ircmsg"

  17. 	"github.com/oragono/oragono/irc/passwd"

  18. 	"github.com/oragono/oragono/irc/sno"

  19. 	"github.com/tidwall/buntdb"

  20. )

  21. 

  22. var (

  23. 	errAccountCreation     = errors.New("Account could not be created")

  24. 	errCertfpAlreadyExists = errors.New("An account already exists with your certificate")

  25. )

  26. 

  27. // AccountRegistration manages the registration of accounts.

  28. type AccountRegistration struct {

  29. 	Enabled                    bool

  30. 	EnabledCallbacks           []string

  31. 	EnabledCredentialTypes     []string

  32. 	AllowMultiplePerConnection bool

  33. }

  34. 

  35. // AccountCredentials stores the various methods for verifying accounts.

  36. type AccountCredentials struct {

  37. 	PassphraseSalt []byte

  38. 	PassphraseHash []byte

  39. 	Certificate    string // fingerprint

  40. }

  41. 

  42. // NewAccountRegistration returns a new AccountRegistration, configured correctly.

  43. func NewAccountRegistration(config AccountRegistrationConfig) (accountReg AccountRegistration) {

  44. 	if config.Enabled {

  45. 		accountReg.Enabled = true

  46. 		accountReg.AllowMultiplePerConnection = config.AllowMultiplePerConnection

  47. 		for _, name := range config.EnabledCallbacks {

  48. 			// we store "none" as "*" internally

  49. 			if name == "none" {

  50. 				name = "*"

  51. 			}

  52. 			accountReg.EnabledCallbacks = append(accountReg.EnabledCallbacks, name)

  53. 		}

  54. 		// no need to make this configurable, right now at least

  55. 		accountReg.EnabledCredentialTypes = []string{

  56. 			"passphrase",

  57. 			"certfp",

  58. 		}

  59. 	}

  60. 	return accountReg

  61. }

  62. 

  63. // accHandler parses the ACC command.

  64. func accHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {

  65. 	subcommand := strings.ToLower(msg.Params[0])

  66. 

  67. 	if subcommand == "register" {

  68. 		return accRegisterHandler(server, client, msg)

  69. 	} else if subcommand == "verify" {

  70. 		client.Notice(client.t("VERIFY is not yet implemented"))

  71. 	} else {

  72. 		client.Send(nil, server.name, ERR_UNKNOWNERROR, client.nick, "ACC", msg.Params[0], client.t("Unknown subcommand"))

  73. 	}

  74. 

  75. 	return false

  76. }

  77. 

  78. // removeFailedAccRegisterData removes the data created by ACC REGISTER if the account creation fails early.

  79. func removeFailedAccRegisterData(store *buntdb.DB, account string) {

  80. 	// error is ignored here, we can't do much about it anyways

  81. 	store.Update(func(tx *buntdb.Tx) error {

  82. 		tx.Delete(fmt.Sprintf(keyAccountExists, account))

  83. 		tx.Delete(fmt.Sprintf(keyAccountRegTime, account))

  84. 		tx.Delete(fmt.Sprintf(keyAccountCredentials, account))

  85. 

  86. 		return nil

  87. 	})

  88. }

  89. 

  90. // accRegisterHandler parses the ACC REGISTER command.

  91. func accRegisterHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {

  92. 	// make sure reg is enabled

  93. 	if !server.accountRegistration.Enabled {

  94. 		client.Send(nil, server.name, ERR_REG_UNSPECIFIED_ERROR, client.nick, "*", client.t("Account registration is disabled"))

  95. 		return false

  96. 	}

  97. 

  98. 	// clients can't reg new accounts if they're already logged in

  99. 	if client.LoggedIntoAccount() {

  100. 		if server.accountRegistration.AllowMultiplePerConnection {

  101. 			client.LogoutOfAccount()

  102. 		} else {

  103. 			client.Send(nil, server.name, ERR_REG_UNSPECIFIED_ERROR, client.nick, "*", client.t("You're already logged into an account"))

  104. 			return false

  105. 		}

  106. 	}

  107. 

  108. 	// get and sanitise account name

  109. 	account := strings.TrimSpace(msg.Params[1])

  110. 	casefoldedAccount, err := CasefoldName(account)

  111. 	// probably don't need explicit check for "*" here... but let's do it anyway just to make sure

  112. 	if err != nil || msg.Params[1] == "*" {

  113. 		client.Send(nil, server.name, ERR_REG_UNSPECIFIED_ERROR, client.nick, account, client.t("Account name is not valid"))

  114. 		return false

  115. 	}

  116. 

  117. 	// check whether account exists

  118. 	// do it all in one write tx to prevent races

  119. 	err = server.store.Update(func(tx *buntdb.Tx) error {

  120. 		accountKey := fmt.Sprintf(keyAccountExists, casefoldedAccount)

  121. 

  122. 		_, err := tx.Get(accountKey)

  123. 		if err != buntdb.ErrNotFound {

  124. 			//TODO(dan): if account verified key doesn't exist account is not verified, calc the maximum time without verification and expire and continue if need be

  125. 			client.Send(nil, server.name, ERR_ACCOUNT_ALREADY_EXISTS, client.nick, account, client.t("Account already exists"))

  126. 			return errAccountCreation

  127. 		}

  128. 

  129. 		registeredTimeKey := fmt.Sprintf(keyAccountRegTime, casefoldedAccount)

  130. 

  131. 		tx.Set(accountKey, "1", nil)

  132. 		tx.Set(fmt.Sprintf(keyAccountName, casefoldedAccount), account, nil)

  133. 		tx.Set(registeredTimeKey, strconv.FormatInt(time.Now().Unix(), 10), nil)

  134. 		return nil

  135. 	})

  136. 

  137. 	// account could not be created and relevant numerics have been dispatched, abort

  138. 	if err != nil {

  139. 		if err != errAccountCreation {

  140. 			client.Send(nil, server.name, ERR_UNKNOWNERROR, client.nick, "ACC", "REGISTER", client.t("Could not register"))

  141. 			log.Println("Could not save registration initial data:", err.Error())

  142. 		}

  143. 		return false

  144. 	}

  145. 

  146. 	// account didn't already exist, continue with account creation and dispatching verification (if required)

  147. 	callback := strings.ToLower(msg.Params[2])

  148. 	var callbackNamespace, callbackValue string

  149. 

  150. 	if callback == "*" {

  151. 		callbackNamespace = "*"

  152. 	} else if strings.Contains(callback, ":") {

  153. 		callbackValues := strings.SplitN(callback, ":", 2)

  154. 		callbackNamespace, callbackValue = callbackValues[0], callbackValues[1]

  155. 	} else {

  156. 		callbackNamespace = server.accountRegistration.EnabledCallbacks[0]

  157. 		callbackValue = callback

  158. 	}

  159. 

  160. 	// ensure the callback namespace is valid

  161. 	// need to search callback list, maybe look at using a map later?

  162. 	var callbackValid bool

  163. 	for _, name := range server.accountRegistration.EnabledCallbacks {

  164. 		if callbackNamespace == name {

  165. 			callbackValid = true

  166. 		}

  167. 	}

  168. 

  169. 	if !callbackValid {

  170. 		client.Send(nil, server.name, ERR_REG_INVALID_CALLBACK, client.nick, account, callbackNamespace, client.t("Callback namespace is not supported"))

  171. 		removeFailedAccRegisterData(server.store, casefoldedAccount)

  172. 		return false

  173. 	}

  174. 

  175. 	// get credential type/value

  176. 	var credentialType, credentialValue string

  177. 

  178. 	if len(msg.Params) > 4 {

  179. 		credentialType = strings.ToLower(msg.Params[3])

  180. 		credentialValue = msg.Params[4]

  181. 	} else if len(msg.Params) == 4 {

  182. 		credentialType = "passphrase" // default from the spec

  183. 		credentialValue = msg.Params[3]

  184. 	} else {

  185. 		client.Send(nil, server.name, ERR_NEEDMOREPARAMS, client.nick, msg.Command, client.t("Not enough parameters"))

  186. 		removeFailedAccRegisterData(server.store, casefoldedAccount)

  187. 		return false

  188. 	}

  189. 

  190. 	// ensure the credential type is valid

  191. 	var credentialValid bool

  192. 	for _, name := range server.accountRegistration.EnabledCredentialTypes {

  193. 		if credentialType == name {

  194. 			credentialValid = true

  195. 		}

  196. 	}

  197. 	if credentialType == "certfp" && client.certfp == "" {

  198. 		client.Send(nil, server.name, ERR_REG_INVALID_CRED_TYPE, client.nick, credentialType, callbackNamespace, client.t("You are not using a TLS certificate"))

  199. 		removeFailedAccRegisterData(server.store, casefoldedAccount)

  200. 		return false

  201. 	}

  202. 

  203. 	if !credentialValid {

  204. 		client.Send(nil, server.name, ERR_REG_INVALID_CRED_TYPE, client.nick, credentialType, callbackNamespace, client.t("Credential type is not supported"))

  205. 		removeFailedAccRegisterData(server.store, casefoldedAccount)

  206. 		return false

  207. 	}

  208. 

  209. 	// store details

  210. 	err = server.store.Update(func(tx *buntdb.Tx) error {

  211. 		// certfp special lookup key

  212. 		if credentialType == "certfp" {

  213. 			assembledKeyCertToAccount := fmt.Sprintf(keyCertToAccount, client.certfp)

  214. 

  215. 			// make sure certfp doesn't already exist because that'd be silly

  216. 			_, err := tx.Get(assembledKeyCertToAccount)

  217. 			if err != buntdb.ErrNotFound {

  218. 				return errCertfpAlreadyExists

  219. 			}

  220. 

  221. 			tx.Set(assembledKeyCertToAccount, casefoldedAccount, nil)

  222. 		}

  223. 

  224. 		// make creds

  225. 		var creds AccountCredentials

  226. 

  227. 		// always set passphrase salt

  228. 		creds.PassphraseSalt, err = passwd.NewSalt()

  229. 		if err != nil {

  230. 			return fmt.Errorf("Could not create passphrase salt: %s", err.Error())

  231. 		}

  232. 

  233. 		if credentialType == "certfp" {

  234. 			creds.Certificate = client.certfp

  235. 		} else if credentialType == "passphrase" {

  236. 			creds.PassphraseHash, err = server.passwords.GenerateFromPassword(creds.PassphraseSalt, credentialValue)

  237. 			if err != nil {

  238. 				return fmt.Errorf("Could not hash password: %s", err)

  239. 			}

  240. 		}

  241. 		credText, err := json.Marshal(creds)

  242. 		if err != nil {

  243. 			return fmt.Errorf("Could not marshal creds: %s", err)

  244. 		}

  245. 		tx.Set(fmt.Sprintf(keyAccountCredentials, account), string(credText), nil)

  246. 

  247. 		return nil

  248. 	})

  249. 

  250. 	// details could not be stored and relevant numerics have been dispatched, abort

  251. 	if err != nil {

  252. 		errMsg := "Could not register"

  253. 		if err == errCertfpAlreadyExists {

  254. 			errMsg = "An account already exists for your certificate fingerprint"

  255. 		}

  256. 		client.Send(nil, server.name, ERR_UNKNOWNERROR, client.nick, "ACC", "REGISTER", errMsg)

  257. 		log.Println("Could not save registration creds:", err.Error())

  258. 		removeFailedAccRegisterData(server.store, casefoldedAccount)

  259. 		return false

  260. 	}

  261. 

  262. 	// automatically complete registration

  263. 	if callbackNamespace == "*" {

  264. 		err = server.store.Update(func(tx *buntdb.Tx) error {

  265. 			tx.Set(fmt.Sprintf(keyAccountVerified, casefoldedAccount), "1", nil)

  266. 

  267. 			// load acct info inside store tx

  268. 			account := ClientAccount{

  269. 				Name:         strings.TrimSpace(msg.Params[1]),

  270. 				RegisteredAt: time.Now(),

  271. 				Clients:      []*Client{client},

  272. 			}

  273. 			//TODO(dan): Consider creating ircd-wide account adding/removing/affecting lock for protecting access to these sorts of variables

  274. 			server.accounts[casefoldedAccount] = &account

  275. 			client.account = &account

  276. 

  277. 			client.Send(nil, server.name, RPL_REGISTRATION_SUCCESS, client.nick, account.Name, client.t("Account created"))

  278. 			client.Send(nil, server.name, RPL_LOGGEDIN, client.nick, client.nickMaskString, account.Name, fmt.Sprintf(client.t("You are now logged in as %s"), account.Name))

  279. 			client.Send(nil, server.name, RPL_SASLSUCCESS, client.nick, client.t("Authentication successful"))

  280. 			server.snomasks.Send(sno.LocalAccounts, fmt.Sprintf(ircfmt.Unescape("Account registered $c[grey][$r%s$c[grey]] by $c[grey][$r%s$c[grey]]"), account.Name, client.nickMaskString))

  281. 			return nil

  282. 		})

  283. 		if err != nil {

  284. 			client.Send(nil, server.name, ERR_UNKNOWNERROR, client.nick, "ACC", "REGISTER", client.t("Could not register"))

  285. 			log.Println("Could not save verification confirmation (*):", err.Error())

  286. 			removeFailedAccRegisterData(server.store, casefoldedAccount)

  287. 			return false

  288. 		}

  289. 

  290. 		return false

  291. 	}

  292. 

  293. 	// dispatch callback

  294. 	client.Notice(fmt.Sprintf("We should dispatch a real callback here to %s:%s", callbackNamespace, callbackValue))

  295. 

  296. 	return false

  297. }