mirror
/
oragono
spegling av https://github.com/oragono/oragono
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Släpp 70 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
516 Incheckningar
21 Grenar
Träd: da6f350563
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från 'da6f350563'
${ noResults }
oragono/irc/accounts.go

accounts.go 8.3KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283 
  1. // Copyright (c) 2016- Daniel Oaks <daniel@danieloaks.net>

  2. // released under the MIT license

  3. 

  4. package irc

  5. 

  6. import (

  7. 	"bytes"

  8. 	"encoding/base64"

  9. 	"encoding/json"

  10. 	"errors"

  11. 	"fmt"

  12. 	"strconv"

  13. 	"strings"

  14. 	"time"

  15. 

  16. 	"github.com/DanielOaks/girc-go/ircmsg"

  17. 	"github.com/tidwall/buntdb"

  18. )

  19. 

  20. var (

  21. 	// EnabledSaslMechanisms contains the SASL mechanisms that exist and that we support.

  22. 	// This can be moved to some other data structure/place if we need to load/unload mechs later.

  23. 	EnabledSaslMechanisms = map[string]func(*Server, *Client, string, []byte) bool{

  24. 		"PLAIN":    authPlainHandler,

  25. 		"EXTERNAL": authExternalHandler,

  26. 	}

  27. 

  28. 	// NoAccount is a placeholder which means that the user is not logged into an account.

  29. 	NoAccount = ClientAccount{

  30. 		Name: "*", // * is used until actual account name is set

  31. 	}

  32. 

  33. 	// generic sasl fail error

  34. 	errSaslFail = errors.New("SASL failed")

  35. )

  36. 

  37. // ClientAccount represents a user account.

  38. type ClientAccount struct {

  39. 	// Name of the account.

  40. 	Name string

  41. 	// RegisteredAt represents the time that the account was registered.

  42. 	RegisteredAt time.Time

  43. 	// Clients that are currently logged into this account (useful for notifications).

  44. 	Clients []*Client

  45. }

  46. 

  47. // loadAccountCredentials loads an account's credentials from the store.

  48. func loadAccountCredentials(tx *buntdb.Tx, accountKey string) (*AccountCredentials, error) {

  49. 	credText, err := tx.Get(fmt.Sprintf(keyAccountCredentials, accountKey))

  50. 	if err != nil {

  51. 		return nil, err

  52. 	}

  53. 

  54. 	var creds AccountCredentials

  55. 	err = json.Unmarshal([]byte(credText), &creds)

  56. 	if err != nil {

  57. 		return nil, err

  58. 	}

  59. 

  60. 	return &creds, nil

  61. }

  62. 

  63. // loadAccount loads an account from the store, note that the account must actually exist.

  64. func loadAccount(server *Server, tx *buntdb.Tx, accountKey string) *ClientAccount {

  65. 	name, _ := tx.Get(fmt.Sprintf(keyAccountName, accountKey))

  66. 	regTime, _ := tx.Get(fmt.Sprintf(keyAccountRegTime, accountKey))

  67. 	regTimeInt, _ := strconv.ParseInt(regTime, 10, 64)

  68. 	accountInfo := ClientAccount{

  69. 		Name:         name,

  70. 		RegisteredAt: time.Unix(regTimeInt, 0),

  71. 		Clients:      []*Client{},

  72. 	}

  73. 	server.accounts[accountKey] = &accountInfo

  74. 

  75. 	return &accountInfo

  76. }

  77. 

  78. // authenticateHandler parses the AUTHENTICATE command (for SASL authentication).

  79. func authenticateHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {

  80. 	// sasl abort

  81. 	if len(msg.Params) == 1 && msg.Params[0] == "*" {

  82. 		if client.saslInProgress {

  83. 			client.Send(nil, server.name, ERR_SASLABORTED, client.nick, "SASL authentication aborted")

  84. 		} else {

  85. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  86. 		}

  87. 		client.saslInProgress = false

  88. 		client.saslMechanism = ""

  89. 		client.saslValue = ""

  90. 		return false

  91. 	}

  92. 

  93. 	// start new sasl session

  94. 	if !client.saslInProgress {

  95. 		mechanism := strings.ToUpper(msg.Params[0])

  96. 		_, mechanismIsEnabled := EnabledSaslMechanisms[mechanism]

  97. 

  98. 		if mechanismIsEnabled {

  99. 			client.saslInProgress = true

  100. 			client.saslMechanism = mechanism

  101. 			client.Send(nil, server.name, "AUTHENTICATE", "+")

  102. 		} else {

  103. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  104. 		}

  105. 

  106. 		return false

  107. 	}

  108. 

  109. 	// continue existing sasl session

  110. 	rawData := msg.Params[0]

  111. 

  112. 	if len(rawData) > 400 {

  113. 		client.Send(nil, server.name, ERR_SASLTOOLONG, client.nick, "SASL message too long")

  114. 		client.saslInProgress = false

  115. 		client.saslMechanism = ""

  116. 		client.saslValue = ""

  117. 		return false

  118. 	} else if len(rawData) == 400 {

  119. 		client.saslValue += rawData

  120. 		// allow 4 'continuation' lines before rejecting for length

  121. 		if len(client.saslValue) > 400*4 {

  122. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Passphrase too long")

  123. 			client.saslInProgress = false

  124. 			client.saslMechanism = ""

  125. 			client.saslValue = ""

  126. 			return false

  127. 		}

  128. 		return false

  129. 	}

  130. 	if rawData != "+" {

  131. 		client.saslValue += rawData

  132. 	}

  133. 

  134. 	var data []byte

  135. 	var err error

  136. 	if client.saslValue != "+" {

  137. 		data, err = base64.StdEncoding.DecodeString(client.saslValue)

  138. 		if err != nil {

  139. 			client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Invalid b64 encoding")

  140. 			client.saslInProgress = false

  141. 			client.saslMechanism = ""

  142. 			client.saslValue = ""

  143. 			return false

  144. 		}

  145. 	}

  146. 

  147. 	// call actual handler

  148. 	handler, handlerExists := EnabledSaslMechanisms[client.saslMechanism]

  149. 

  150. 	// like 100% not required, but it's good to be safe I guess

  151. 	if !handlerExists {

  152. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  153. 		client.saslInProgress = false

  154. 		client.saslMechanism = ""

  155. 		client.saslValue = ""

  156. 		return false

  157. 	}

  158. 

  159. 	// sasl is being done now by the handler, so we empty the client's vars now

  160. 	client.saslInProgress = false

  161. 	client.saslMechanism = ""

  162. 	client.saslValue = ""

  163. 

  164. 	return handler(server, client, client.saslMechanism, data)

  165. }

  166. 

  167. // authPlainHandler parses the SASL PLAIN mechanism.

  168. func authPlainHandler(server *Server, client *Client, mechanism string, value []byte) bool {

  169. 	splitValue := bytes.Split(value, []byte{'\000'})

  170. 

  171. 	if len(splitValue) != 3 {

  172. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Invalid auth blob")

  173. 		return false

  174. 	}

  175. 

  176. 	accountKey := string(splitValue[0])

  177. 	authzid := string(splitValue[1])

  178. 

  179. 	if accountKey != authzid {

  180. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: authcid and authzid should be the same")

  181. 		return false

  182. 	}

  183. 

  184. 	// keep it the same as in the REG CREATE stage

  185. 	accountKey, err := CasefoldName(accountKey)

  186. 	if err != nil {

  187. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed: Bad account name")

  188. 		return false

  189. 	}

  190. 

  191. 	// load and check acct data all in one update to prevent races.

  192. 	// as noted elsewhere, change to proper locking for Account type later probably

  193. 	err = server.store.Update(func(tx *buntdb.Tx) error {

  194. 		creds, err := loadAccountCredentials(tx, accountKey)

  195. 		if err != nil {

  196. 			return err

  197. 		}

  198. 

  199. 		// ensure creds are valid

  200. 		password := string(splitValue[2])

  201. 		if len(creds.PassphraseHash) < 1 || len(creds.PassphraseSalt) < 1 || len(password) < 1 {

  202. 			return errSaslFail

  203. 		}

  204. 		err = server.passwords.CompareHashAndPassword(creds.PassphraseHash, creds.PassphraseSalt, password)

  205. 

  206. 		// succeeded, load account info if necessary

  207. 		account, exists := server.accounts[accountKey]

  208. 		if !exists {

  209. 			account = loadAccount(server, tx, accountKey)

  210. 		}

  211. 

  212. 		account.Clients = append(account.Clients, client)

  213. 		client.account = account

  214. 

  215. 		return err

  216. 	})

  217. 

  218. 	if err != nil {

  219. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  220. 		return false

  221. 	}

  222. 

  223. 	client.successfulSaslAuth()

  224. 	return false

  225. }

  226. 

  227. // authExternalHandler parses the SASL EXTERNAL mechanism.

  228. func authExternalHandler(server *Server, client *Client, mechanism string, value []byte) bool {

  229. 	if client.certfp == "" {

  230. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed, you are not connecting with a caertificate")

  231. 		return false

  232. 	}

  233. 

  234. 	err := server.store.Update(func(tx *buntdb.Tx) error {

  235. 		// certfp lookup key

  236. 		accountKey, err := tx.Get(fmt.Sprintf(keyCertToAccount, client.certfp))

  237. 		if err != nil {

  238. 			return errSaslFail

  239. 		}

  240. 

  241. 		// confirm account exists

  242. 		_, err = tx.Get(fmt.Sprintf(keyAccountExists, accountKey))

  243. 		if err != nil {

  244. 			return errSaslFail

  245. 		}

  246. 

  247. 		// confirm the certfp in that account's credentials

  248. 		creds, err := loadAccountCredentials(tx, accountKey)

  249. 		if err != nil || creds.Certificate != client.certfp {

  250. 			return errSaslFail

  251. 		}

  252. 

  253. 		// succeeded, load account info if necessary

  254. 		account, exists := server.accounts[accountKey]

  255. 		if !exists {

  256. 			account = loadAccount(server, tx, accountKey)

  257. 		}

  258. 

  259. 		account.Clients = append(account.Clients, client)

  260. 		client.account = account

  261. 

  262. 		return nil

  263. 	})

  264. 

  265. 	if err != nil {

  266. 		client.Send(nil, server.name, ERR_SASLFAIL, client.nick, "SASL authentication failed")

  267. 		return false

  268. 	}

  269. 

  270. 	client.successfulSaslAuth()

  271. 	return false

  272. }

  273. 

  274. // successfulSaslAuth means that a SASL auth attempt completed successfully, and is used to dispatch messages.

  275. func (c *Client) successfulSaslAuth() {

  276. 	c.Send(nil, c.server.name, RPL_LOGGEDIN, c.nick, c.nickMaskString, c.account.Name, fmt.Sprintf("You are now logged in as %s", c.account.Name))

  277. 	c.Send(nil, c.server.name, RPL_SASLSUCCESS, c.nick, "SASL authentication successful")

  278. 

  279. 	// dispatch account-notify

  280. 	for friend := range c.Friends(AccountNotify) {

  281. 		friend.Send(nil, c.nickMaskString, "ACCOUNT", c.account.Name)

  282. 	}

  283. }