Context Navigation

source: code/trunk/service.go@ 330

Last change on this file since 330 was 329, checked in by delthas, 5 years ago

Add support for the user create admin service command

This adds support for user create, a new service command only accessible
to admin users. This lets users create other users on the fly and makes
soju start the user routine immediately; unlike sojuctl which currently
requires closing soju, creating the user, and starting soju again.

File size: 15.0 KB

Rev	Line
[117]	1	package soju
	2
	3	import (
[307]	4	"crypto"
	5	"crypto/ecdsa"
	6	"crypto/ed25519"
	7	"crypto/elliptic"
	8	"crypto/rand"
	9	"crypto/rsa"
	10	"crypto/sha1"
	11	"crypto/sha256"
	12	"crypto/x509"
	13	"crypto/x509/pkix"
	14	"encoding/hex"
	15	"errors"
[120]	16	"flag"
[117]	17	"fmt"
[120]	18	"io/ioutil"
[307]	19	"math/big"
[117]	20	"strings"
[307]	21	"time"
[117]	22
	23	"github.com/google/shlex"
[252]	24	"golang.org/x/crypto/bcrypt"
[117]	25	"gopkg.in/irc.v3"
	26	)
	27
	28	const serviceNick = "BouncerServ"
	29
[220]	30	var servicePrefix = &irc.Prefix{
	31	Name: serviceNick,
	32	User: serviceNick,
	33	Host: serviceNick,
	34	}
	35
[150]	36	type serviceCommandSet map[string]*serviceCommand
	37
[117]	38	type serviceCommand struct {
[150]	39	usage string
	40	desc string
	41	handle func(dc *downstreamConn, params []string) error
	42	children serviceCommandSet
[328]	43	admin bool
[117]	44	}
	45
[218]	46	func sendServiceNOTICE(dc *downstreamConn, text string) {
	47	dc.SendMessage(&irc.Message{
[220]	48	Prefix: servicePrefix,
[218]	49	Command: "NOTICE",
	50	Params: []string{dc.nick, text},
	51	})
	52	}
	53
[117]	54	func sendServicePRIVMSG(dc *downstreamConn, text string) {
	55	dc.SendMessage(&irc.Message{
[220]	56	Prefix: servicePrefix,
[117]	57	Command: "PRIVMSG",
	58	Params: []string{dc.nick, text},
	59	})
	60	}
	61
	62	func handleServicePRIVMSG(dc *downstreamConn, text string) {
	63	words, err := shlex.Split(text)
	64	if err != nil {
	65	sendServicePRIVMSG(dc, fmt.Sprintf("error: failed to parse command: %v", err))
	66	return
	67	}
	68
[150]	69	cmd, params, err := serviceCommands.Get(words)
	70	if err != nil {
	71	sendServicePRIVMSG(dc, fmt.Sprintf(`error: %v (type "help" for a list of commands)`, err))
[117]	72	return
	73	}
[328]	74	if cmd.admin && !dc.user.Admin {
	75	sendServicePRIVMSG(dc, fmt.Sprintf(`error: you must be an admin to use this command`))
	76	return
	77	}
[117]	78
	79	if err := cmd.handle(dc, params); err != nil {
	80	sendServicePRIVMSG(dc, fmt.Sprintf("error: %v", err))
	81	}
	82	}
	83
[150]	84	func (cmds serviceCommandSet) Get(params []string) (*serviceCommand, []string, error) {
	85	if len(params) == 0 {
	86	return nil, nil, fmt.Errorf("no command specified")
	87	}
[117]	88
[150]	89	name := params[0]
	90	params = params[1:]
	91
	92	cmd, ok := cmds[name]
	93	if !ok {
	94	for k := range cmds {
	95	if !strings.HasPrefix(k, name) {
	96	continue
	97	}
	98	if cmd != nil {
	99	return nil, params, fmt.Errorf("command %q is ambiguous", name)
	100	}
	101	cmd = cmds[k]
	102	}
	103	}
	104	if cmd == nil {
	105	return nil, params, fmt.Errorf("command %q not found", name)
	106	}
	107
	108	if len(params) == 0 \|\| len(cmd.children) == 0 {
	109	return cmd, params, nil
	110	}
	111	return cmd.children.Get(params)
	112	}
	113
	114	var serviceCommands serviceCommandSet
	115
[117]	116	func init() {
[150]	117	serviceCommands = serviceCommandSet{
[117]	118	"help": {
	119	usage: "[command]",
	120	desc: "print help message",
	121	handle: handleServiceHelp,
	122	},
[150]	123	"network": {
	124	children: serviceCommandSet{
	125	"create": {
[313]	126	usage: "-addr <addr> [-name name] [-username username] [-pass pass] [-realname realname] [-nick nick] [-connect-command command]...",
[150]	127	desc: "add a new network",
[325]	128	handle: handleServiceNetworkCreate,
[150]	129	},
[151]	130	"status": {
	131	desc: "show a list of saved networks and their current status",
	132	handle: handleServiceNetworkStatus,
	133	},
[313]	134	"update": {
[315]	135	usage: "[-addr addr] [-name name] [-username username] [-pass pass] [-realname realname] [-nick nick] [-connect-command command]...",
	136	desc: "update a network",
[313]	137	handle: handleServiceNetworkUpdate,
	138	},
[202]	139	"delete": {
	140	usage: "<name>",
	141	desc: "delete a network",
	142	handle: handleServiceNetworkDelete,
	143	},
[150]	144	},
[120]	145	},
[307]	146	"certfp": {
	147	children: serviceCommandSet{
	148	"generate": {
	149	usage: "[-key-type rsa\|ecdsa\|ed25519] [-bits N] <network name>",
	150	desc: "generate a new self-signed certificate, defaults to using RSA-3072 key",
	151	handle: handleServiceCertfpGenerate,
	152	},
	153	"fingerprint": {
	154	usage: "<network name>",
	155	desc: "show fingerprints of certificate associated with the network",
	156	handle: handleServiceCertfpFingerprints,
	157	},
	158	"reset": {
	159	usage: "<network name>",
	160	desc: "disable SASL EXTERNAL authentication and remove stored certificate",
	161	handle: handleServiceCertfpReset,
	162	},
	163	},
	164	},
[329]	165	"user": {
	166	children: serviceCommandSet{
	167	"create": {
	168	usage: "-username <username> -password <password> [-admin]",
	169	desc: "create a new soju user",
	170	handle: handleUserCreate,
	171	admin: true,
	172	},
	173	},
	174	admin: true,
	175	},
[252]	176	"change-password": {
	177	usage: "<new password>",
	178	desc: "change your password",
	179	handle: handlePasswordChange,
	180	},
[117]	181	}
	182	}
	183
[328]	184	func appendServiceCommandSetHelp(cmds serviceCommandSet, prefix []string, admin bool, l *[]string) {
[150]	185	for name, cmd := range cmds {
[328]	186	if cmd.admin && !admin {
	187	continue
	188	}
[150]	189	words := append(prefix, name)
	190	if len(cmd.children) == 0 {
	191	s := strings.Join(words, " ")
	192	l = append(l, s)
	193	} else {
[328]	194	appendServiceCommandSetHelp(cmd.children, words, admin, l)
[150]	195	}
	196	}
	197	}
	198
[117]	199	func handleServiceHelp(dc *downstreamConn, params []string) error {
	200	if len(params) > 0 {
[150]	201	cmd, rest, err := serviceCommands.Get(params)
	202	if err != nil {
	203	return err
[117]	204	}
[150]	205	words := params[:len(params)-len(rest)]
[117]	206
[150]	207	if len(cmd.children) > 0 {
	208	var l []string
[328]	209	appendServiceCommandSetHelp(cmd.children, words, dc.user.Admin, &l)
[150]	210	sendServicePRIVMSG(dc, "available commands: "+strings.Join(l, ", "))
	211	} else {
	212	text := strings.Join(words, " ")
	213	if cmd.usage != "" {
	214	text += " " + cmd.usage
	215	}
	216	text += ": " + cmd.desc
	217
	218	sendServicePRIVMSG(dc, text)
[117]	219	}
	220	} else {
	221	var l []string
[328]	222	appendServiceCommandSetHelp(serviceCommands, nil, dc.user.Admin, &l)
[117]	223	sendServicePRIVMSG(dc, "available commands: "+strings.Join(l, ", "))
	224	}
	225	return nil
	226	}
[120]	227
[202]	228	func newFlagSet() *flag.FlagSet {
[120]	229	fs := flag.NewFlagSet("", flag.ContinueOnError)
	230	fs.SetOutput(ioutil.Discard)
[202]	231	return fs
	232	}
	233
[313]	234	type stringSliceFlag []string
[263]	235
[313]	236	func (v *stringSliceFlag) String() string {
[263]	237	return fmt.Sprint([]string(*v))
	238	}
	239
[313]	240	func (v *stringSliceFlag) Set(s string) error {
[263]	241	v = append(v, s)
	242	return nil
	243	}
	244
[313]	245	// stringPtrFlag is a flag value populating a string pointer. This allows to
	246	// disambiguate between a flag that hasn't been set and a flag that has been
	247	// set to an empty string.
	248	type stringPtrFlag struct {
	249	ptr **string
	250	}
	251
	252	func (f stringPtrFlag) String() string {
	253	if *f.ptr == nil {
	254	return ""
	255	}
	256	return **f.ptr
	257	}
	258
	259	func (f stringPtrFlag) Set(s string) error {
	260	*f.ptr = &s
	261	return nil
	262	}
	263
	264	type networkFlagSet struct {
	265	*flag.FlagSet
	266	Addr, Name, Nick, Username, Pass, Realname *string
[315]	267	ConnectCommands []string
[313]	268	}
	269
	270	func newNetworkFlagSet() *networkFlagSet {
	271	fs := &networkFlagSet{FlagSet: newFlagSet()}
	272	fs.Var(stringPtrFlag{&fs.Addr}, "addr", "")
	273	fs.Var(stringPtrFlag{&fs.Name}, "name", "")
	274	fs.Var(stringPtrFlag{&fs.Nick}, "nick", "")
	275	fs.Var(stringPtrFlag{&fs.Username}, "username", "")
	276	fs.Var(stringPtrFlag{&fs.Pass}, "pass", "")
	277	fs.Var(stringPtrFlag{&fs.Realname}, "realname", "")
	278	fs.Var((*stringSliceFlag)(&fs.ConnectCommands), "connect-command", "")
	279	return fs
	280	}
	281
	282	func (fs networkFlagSet) update(network Network) error {
	283	if fs.Addr != nil {
	284	if addrParts := strings.SplitN(*fs.Addr, "://", 2); len(addrParts) == 2 {
	285	scheme := addrParts[0]
	286	switch scheme {
	287	case "ircs", "irc+insecure":
	288	default:
	289	return fmt.Errorf("unknown scheme %q (supported schemes: ircs, irc+insecure)", scheme)
	290	}
	291	}
	292	network.Addr = *fs.Addr
	293	}
	294	if fs.Name != nil {
	295	network.Name = *fs.Name
	296	}
	297	if fs.Nick != nil {
	298	network.Nick = *fs.Nick
	299	}
	300	if fs.Username != nil {
	301	network.Username = *fs.Username
	302	}
	303	if fs.Pass != nil {
	304	network.Pass = *fs.Pass
	305	}
	306	if fs.Realname != nil {
	307	network.Realname = *fs.Realname
	308	}
	309	if fs.ConnectCommands != nil {
	310	if len(fs.ConnectCommands) == 1 && fs.ConnectCommands[0] == "" {
	311	network.ConnectCommands = nil
	312	} else {
	313	for _, command := range fs.ConnectCommands {
	314	_, err := irc.ParseMessage(command)
	315	if err != nil {
	316	return fmt.Errorf("flag -connect-command must be a valid raw irc command string: %q: %v", command, err)
	317	}
	318	}
	319	network.ConnectCommands = fs.ConnectCommands
	320	}
	321	}
	322	return nil
	323	}
	324
[325]	325	func handleServiceNetworkCreate(dc *downstreamConn, params []string) error {
[313]	326	fs := newNetworkFlagSet()
[120]	327	if err := fs.Parse(params); err != nil {
	328	return err
	329	}
[313]	330	if fs.Addr == nil {
[150]	331	return fmt.Errorf("flag -addr is required")
[120]	332	}
	333
[313]	334	record := &Network{
	335	Addr: *fs.Addr,
	336	Nick: dc.nick,
[269]	337	}
[313]	338	if err := fs.update(record); err != nil {
	339	return err
[263]	340	}
	341
[313]	342	network, err := dc.user.createNetwork(record)
[120]	343	if err != nil {
	344	return fmt.Errorf("could not create network: %v", err)
	345	}
	346
[202]	347	sendServicePRIVMSG(dc, fmt.Sprintf("created network %q", network.GetName()))
[120]	348	return nil
	349	}
[151]	350
	351	func handleServiceNetworkStatus(dc *downstreamConn, params []string) error {
	352	dc.user.forEachNetwork(func(net *network) {
	353	var statuses []string
	354	var details string
[279]	355	if uc := net.conn; uc != nil {
[271]	356	if dc.nick != uc.nick {
	357	statuses = append(statuses, "connected as "+uc.nick)
	358	} else {
	359	statuses = append(statuses, "connected")
	360	}
[151]	361	details = fmt.Sprintf("%v channels", len(uc.channels))
	362	} else {
	363	statuses = append(statuses, "disconnected")
[219]	364	if net.lastError != nil {
	365	details = net.lastError.Error()
	366	}
[151]	367	}
	368
	369	if net == dc.network {
	370	statuses = append(statuses, "current")
	371	}
	372
[224]	373	name := net.GetName()
	374	if name != net.Addr {
	375	name = fmt.Sprintf("%v (%v)", name, net.Addr)
	376	}
	377
	378	s := fmt.Sprintf("%v [%v]", name, strings.Join(statuses, ", "))
[151]	379	if details != "" {
	380	s += ": " + details
	381	}
	382	sendServicePRIVMSG(dc, s)
	383	})
	384	return nil
	385	}
[202]	386
[313]	387	func handleServiceNetworkUpdate(dc *downstreamConn, params []string) error {
	388	if len(params) < 1 {
	389	return fmt.Errorf("expected exactly one argument")
	390	}
	391
	392	fs := newNetworkFlagSet()
	393	if err := fs.Parse(params[1:]); err != nil {
	394	return err
	395	}
	396
	397	net := dc.user.getNetwork(params[0])
	398	if net == nil {
	399	return fmt.Errorf("unknown network %q", params[0])
	400	}
	401
	402	record := net.Network // copy network record because we'll mutate it
	403	if err := fs.update(&record); err != nil {
	404	return err
	405	}
	406
	407	network, err := dc.user.updateNetwork(&record)
	408	if err != nil {
	409	return fmt.Errorf("could not update network: %v", err)
	410	}
	411
	412	sendServicePRIVMSG(dc, fmt.Sprintf("updated network %q", network.GetName()))
	413	return nil
	414	}
	415
[202]	416	func handleServiceNetworkDelete(dc *downstreamConn, params []string) error {
	417	if len(params) != 1 {
	418	return fmt.Errorf("expected exactly one argument")
	419	}
	420
	421	net := dc.user.getNetwork(params[0])
	422	if net == nil {
	423	return fmt.Errorf("unknown network %q", params[0])
	424	}
	425
	426	if err := dc.user.deleteNetwork(net.ID); err != nil {
	427	return err
	428	}
	429
	430	sendServicePRIVMSG(dc, fmt.Sprintf("deleted network %q", net.GetName()))
	431	return nil
	432	}
[252]	433
[325]	434	func handleServiceCertfpGenerate(dc *downstreamConn, params []string) error {
	435	fs := newFlagSet()
	436	keyType := fs.String("key-type", "rsa", "key type to generate (rsa, ecdsa, ed25519)")
	437	bits := fs.Int("bits", 3072, "size of key to generate, meaningful only for RSA")
	438
	439	if err := fs.Parse(params); err != nil {
	440	return err
	441	}
	442
	443	if len(fs.Args()) != 1 {
	444	return errors.New("exactly one argument is required")
	445	}
	446
	447	net := dc.user.getNetwork(fs.Arg(0))
	448	if net == nil {
	449	return fmt.Errorf("unknown network %q", fs.Arg(0))
	450	}
	451
	452	var (
	453	privKey crypto.PrivateKey
	454	pubKey crypto.PublicKey
	455	)
	456	switch *keyType {
	457	case "rsa":
	458	key, err := rsa.GenerateKey(rand.Reader, *bits)
	459	if err != nil {
	460	return err
	461	}
	462	privKey = key
	463	pubKey = key.Public()
	464	case "ecdsa":
	465	key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
	466	if err != nil {
	467	return err
	468	}
	469	privKey = key
	470	pubKey = key.Public()
	471	case "ed25519":
	472	var err error
	473	pubKey, privKey, err = ed25519.GenerateKey(rand.Reader)
	474	if err != nil {
	475	return err
	476	}
	477	}
	478
	479	// Using PKCS#8 allows easier extension for new key types.
	480	privKeyBytes, err := x509.MarshalPKCS8PrivateKey(privKey)
	481	if err != nil {
	482	return err
	483	}
	484
	485	notBefore := time.Now()
	486	// Lets make a fair assumption nobody will use the same cert for more than 20 years...
	487	notAfter := notBefore.Add(24 * time.Hour * 365 * 20)
	488	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	489	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
	490	if err != nil {
	491	return err
	492	}
	493	cert := &x509.Certificate{
	494	SerialNumber: serialNumber,
	495	Subject: pkix.Name{CommonName: "soju auto-generated certificate"},
	496	NotBefore: notBefore,
	497	NotAfter: notAfter,
	498	KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature,
	499	ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
	500	}
	501	derBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, pubKey, privKey)
	502	if err != nil {
	503	return err
	504	}
	505
	506	net.SASL.External.CertBlob = derBytes
	507	net.SASL.External.PrivKeyBlob = privKeyBytes
	508	net.SASL.Mechanism = "EXTERNAL"
	509
	510	if err := dc.srv.db.StoreNetwork(net.Username, &net.Network); err != nil {
	511	return err
	512	}
	513
	514	sendServicePRIVMSG(dc, "certificate generated")
	515
	516	sha1Sum := sha1.Sum(derBytes)
	517	sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:]))
	518	sha256Sum := sha256.Sum256(derBytes)
	519	sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
	520
	521	return nil
	522	}
	523
	524	func handleServiceCertfpFingerprints(dc *downstreamConn, params []string) error {
	525	if len(params) != 1 {
	526	return fmt.Errorf("expected exactly one argument")
	527	}
	528
	529	net := dc.user.getNetwork(params[0])
	530	if net == nil {
	531	return fmt.Errorf("unknown network %q", params[0])
	532	}
	533
	534	sha1Sum := sha1.Sum(net.SASL.External.CertBlob)
	535	sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:]))
	536	sha256Sum := sha256.Sum256(net.SASL.External.CertBlob)
	537	sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
	538	return nil
	539	}
	540
	541	func handleServiceCertfpReset(dc *downstreamConn, params []string) error {
	542	if len(params) != 1 {
	543	return fmt.Errorf("expected exactly one argument")
	544	}
	545
	546	net := dc.user.getNetwork(params[0])
	547	if net == nil {
	548	return fmt.Errorf("unknown network %q", params[0])
	549	}
	550
	551	net.SASL.External.CertBlob = nil
	552	net.SASL.External.PrivKeyBlob = nil
	553
	554	if net.SASL.Mechanism == "EXTERNAL" {
	555	net.SASL.Mechanism = ""
	556	}
	557	if err := dc.srv.db.StoreNetwork(dc.user.Username, &net.Network); err != nil {
	558	return err
	559	}
	560
	561	sendServicePRIVMSG(dc, "certificate reset")
	562	return nil
	563	}
	564
[252]	565	func handlePasswordChange(dc *downstreamConn, params []string) error {
	566	if len(params) != 1 {
	567	return fmt.Errorf("expected exactly one argument")
	568	}
	569
	570	hashed, err := bcrypt.GenerateFromPassword([]byte(params[0]), bcrypt.DefaultCost)
	571	if err != nil {
	572	return fmt.Errorf("failed to hash password: %v", err)
	573	}
	574	if err := dc.user.updatePassword(string(hashed)); err != nil {
	575	return err
	576	}
	577
	578	sendServicePRIVMSG(dc, "password updated")
	579	return nil
	580	}
[329]	581
	582	func handleUserCreate(dc *downstreamConn, params []string) error {
	583	fs := newFlagSet()
	584	username := fs.String("username", "", "")
	585	password := fs.String("password", "", "")
	586	admin := fs.Bool("admin", false, "")
	587
	588	if err := fs.Parse(params); err != nil {
	589	return err
	590	}
	591	if *username == "" {
	592	return fmt.Errorf("flag -username is required")
	593	}
	594	if *password == "" {
	595	return fmt.Errorf("flag -password is required")
	596	}
	597
	598	hashed, err := bcrypt.GenerateFromPassword([]byte(*password), bcrypt.DefaultCost)
	599	if err != nil {
	600	return fmt.Errorf("failed to hash password: %v", err)
	601	}
	602
	603	user := &User{
	604	Username: *username,
	605	Password: string(hashed),
	606	Admin: *admin,
	607	}
	608	if _, err := dc.srv.createUser(user); err != nil {
	609	return fmt.Errorf("could not create user: %v", err)
	610	}
	611
	612	sendServicePRIVMSG(dc, fmt.Sprintf("created user %q", *username))
	613	return nil
	614	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: