Context Navigation

source: code/trunk/service.go@ 364

Last change on this file since 364 was 364, checked in by contact, 5 years ago

Rename certfp reset to sasl reset

And make it reset all SASL credentials.

File size: 16.5 KB

Line
1	package soju
2
3	import (
4	"crypto"
5	"crypto/ecdsa"
6	"crypto/ed25519"
7	"crypto/elliptic"
8	"crypto/rand"
9	"crypto/rsa"
10	"crypto/sha1"
11	"crypto/sha256"
12	"crypto/x509"
13	"crypto/x509/pkix"
14	"encoding/hex"
15	"errors"
16	"flag"
17	"fmt"
18	"io/ioutil"
19	"math/big"
20	"sort"
21	"strings"
22	"time"
23
24	"github.com/google/shlex"
25	"golang.org/x/crypto/bcrypt"
26	"gopkg.in/irc.v3"
27	)
28
29	const serviceNick = "BouncerServ"
30	const serviceRealname = "soju bouncer service"
31
32	var servicePrefix = &irc.Prefix{
33	Name: serviceNick,
34	User: serviceNick,
35	Host: serviceNick,
36	}
37
38	type serviceCommandSet map[string]*serviceCommand
39
40	type serviceCommand struct {
41	usage string
42	desc string
43	handle func(dc *downstreamConn, params []string) error
44	children serviceCommandSet
45	admin bool
46	}
47
48	func sendServiceNOTICE(dc *downstreamConn, text string) {
49	dc.SendMessage(&irc.Message{
50	Prefix: servicePrefix,
51	Command: "NOTICE",
52	Params: []string{dc.nick, text},
53	})
54	}
55
56	func sendServicePRIVMSG(dc *downstreamConn, text string) {
57	dc.SendMessage(&irc.Message{
58	Prefix: servicePrefix,
59	Command: "PRIVMSG",
60	Params: []string{dc.nick, text},
61	})
62	}
63
64	func handleServicePRIVMSG(dc *downstreamConn, text string) {
65	words, err := shlex.Split(text)
66	if err != nil {
67	sendServicePRIVMSG(dc, fmt.Sprintf("error: failed to parse command: %v", err))
68	return
69	}
70
71	cmd, params, err := serviceCommands.Get(words)
72	if err != nil {
73	sendServicePRIVMSG(dc, fmt.Sprintf(`error: %v (type "help" for a list of commands)`, err))
74	return
75	}
76	if cmd.admin && !dc.user.Admin {
77	sendServicePRIVMSG(dc, fmt.Sprintf(`error: you must be an admin to use this command`))
78	return
79	}
80
81	if cmd.handle == nil {
82	if len(cmd.children) > 0 {
83	var l []string
84	appendServiceCommandSetHelp(cmd.children, words, dc.user.Admin, &l)
85	sendServicePRIVMSG(dc, "available commands: "+strings.Join(l, ", "))
86	} else {
87	// Pretend the command does not exist if it has neither children nor handler.
88	// This is obviously a bug but it is better to not die anyway.
89	dc.logger.Printf("command without handler and subcommands invoked:", words[0])
90	sendServicePRIVMSG(dc, fmt.Sprintf("command %q not found", words[0]))
91	}
92	return
93	}
94
95	if err := cmd.handle(dc, params); err != nil {
96	sendServicePRIVMSG(dc, fmt.Sprintf("error: %v", err))
97	}
98	}
99
100	func (cmds serviceCommandSet) Get(params []string) (*serviceCommand, []string, error) {
101	if len(params) == 0 {
102	return nil, nil, fmt.Errorf("no command specified")
103	}
104
105	name := params[0]
106	params = params[1:]
107
108	cmd, ok := cmds[name]
109	if !ok {
110	for k := range cmds {
111	if !strings.HasPrefix(k, name) {
112	continue
113	}
114	if cmd != nil {
115	return nil, params, fmt.Errorf("command %q is ambiguous", name)
116	}
117	cmd = cmds[k]
118	}
119	}
120	if cmd == nil {
121	return nil, params, fmt.Errorf("command %q not found", name)
122	}
123
124	if len(params) == 0 \|\| len(cmd.children) == 0 {
125	return cmd, params, nil
126	}
127	return cmd.children.Get(params)
128	}
129
130	func (cmds serviceCommandSet) Names() []string {
131	l := make([]string, 0, len(cmds))
132	for name := range cmds {
133	l = append(l, name)
134	}
135	sort.Strings(l)
136	return l
137	}
138
139	var serviceCommands serviceCommandSet
140
141	func init() {
142	serviceCommands = serviceCommandSet{
143	"help": {
144	usage: "[command]",
145	desc: "print help message",
146	handle: handleServiceHelp,
147	},
148	"network": {
149	children: serviceCommandSet{
150	"create": {
151	usage: "-addr <addr> [-name name] [-username username] [-pass pass] [-realname realname] [-nick nick] [-connect-command command]...",
152	desc: "add a new network",
153	handle: handleServiceNetworkCreate,
154	},
155	"status": {
156	desc: "show a list of saved networks and their current status",
157	handle: handleServiceNetworkStatus,
158	},
159	"update": {
160	usage: "[-addr addr] [-name name] [-username username] [-pass pass] [-realname realname] [-nick nick] [-connect-command command]...",
161	desc: "update a network",
162	handle: handleServiceNetworkUpdate,
163	},
164	"delete": {
165	usage: "<name>",
166	desc: "delete a network",
167	handle: handleServiceNetworkDelete,
168	},
169	},
170	},
171	"certfp": {
172	children: serviceCommandSet{
173	"generate": {
174	usage: "[-key-type rsa\|ecdsa\|ed25519] [-bits N] <network name>",
175	desc: "generate a new self-signed certificate, defaults to using RSA-3072 key",
176	handle: handleServiceCertfpGenerate,
177	},
178	"fingerprint": {
179	usage: "<network name>",
180	desc: "show fingerprints of certificate associated with the network",
181	handle: handleServiceCertfpFingerprints,
182	},
183	},
184	},
185	"sasl": {
186	children: serviceCommandSet{
187	"set-plain": {
188	usage: "<network name> <username> <password>",
189	desc: "set SASL PLAIN credentials",
190	handle: handleServiceSASLSetPlain,
191	},
192	"reset": {
193	usage: "<network name>",
194	desc: "disable SASL authentication and remove stored credentials",
195	handle: handleServiceSASLReset,
196	},
197	},
198	},
199	"user": {
200	children: serviceCommandSet{
201	"create": {
202	usage: "-username <username> -password <password> [-admin]",
203	desc: "create a new soju user",
204	handle: handleUserCreate,
205	admin: true,
206	},
207	},
208	admin: true,
209	},
210	"change-password": {
211	usage: "<new password>",
212	desc: "change your password",
213	handle: handlePasswordChange,
214	},
215	}
216	}
217
218	func appendServiceCommandSetHelp(cmds serviceCommandSet, prefix []string, admin bool, l *[]string) {
219	for _, name := range cmds.Names() {
220	cmd := cmds[name]
221	if cmd.admin && !admin {
222	continue
223	}
224	words := append(prefix, name)
225	if len(cmd.children) == 0 {
226	s := strings.Join(words, " ")
227	l = append(l, s)
228	} else {
229	appendServiceCommandSetHelp(cmd.children, words, admin, l)
230	}
231	}
232	}
233
234	func handleServiceHelp(dc *downstreamConn, params []string) error {
235	if len(params) > 0 {
236	cmd, rest, err := serviceCommands.Get(params)
237	if err != nil {
238	return err
239	}
240	words := params[:len(params)-len(rest)]
241
242	if len(cmd.children) > 0 {
243	var l []string
244	appendServiceCommandSetHelp(cmd.children, words, dc.user.Admin, &l)
245	sendServicePRIVMSG(dc, "available commands: "+strings.Join(l, ", "))
246	} else {
247	text := strings.Join(words, " ")
248	if cmd.usage != "" {
249	text += " " + cmd.usage
250	}
251	text += ": " + cmd.desc
252
253	sendServicePRIVMSG(dc, text)
254	}
255	} else {
256	var l []string
257	appendServiceCommandSetHelp(serviceCommands, nil, dc.user.Admin, &l)
258	sendServicePRIVMSG(dc, "available commands: "+strings.Join(l, ", "))
259	}
260	return nil
261	}
262
263	func newFlagSet() *flag.FlagSet {
264	fs := flag.NewFlagSet("", flag.ContinueOnError)
265	fs.SetOutput(ioutil.Discard)
266	return fs
267	}
268
269	type stringSliceFlag []string
270
271	func (v *stringSliceFlag) String() string {
272	return fmt.Sprint([]string(*v))
273	}
274
275	func (v *stringSliceFlag) Set(s string) error {
276	v = append(v, s)
277	return nil
278	}
279
280	// stringPtrFlag is a flag value populating a string pointer. This allows to
281	// disambiguate between a flag that hasn't been set and a flag that has been
282	// set to an empty string.
283	type stringPtrFlag struct {
284	ptr **string
285	}
286
287	func (f stringPtrFlag) String() string {
288	if f.ptr == nil \|\| *f.ptr == nil {
289	return ""
290	}
291	return **f.ptr
292	}
293
294	func (f stringPtrFlag) Set(s string) error {
295	*f.ptr = &s
296	return nil
297	}
298
299	type networkFlagSet struct {
300	*flag.FlagSet
301	Addr, Name, Nick, Username, Pass, Realname *string
302	ConnectCommands []string
303	}
304
305	func newNetworkFlagSet() *networkFlagSet {
306	fs := &networkFlagSet{FlagSet: newFlagSet()}
307	fs.Var(stringPtrFlag{&fs.Addr}, "addr", "")
308	fs.Var(stringPtrFlag{&fs.Name}, "name", "")
309	fs.Var(stringPtrFlag{&fs.Nick}, "nick", "")
310	fs.Var(stringPtrFlag{&fs.Username}, "username", "")
311	fs.Var(stringPtrFlag{&fs.Pass}, "pass", "")
312	fs.Var(stringPtrFlag{&fs.Realname}, "realname", "")
313	fs.Var((*stringSliceFlag)(&fs.ConnectCommands), "connect-command", "")
314	return fs
315	}
316
317	func (fs networkFlagSet) update(network Network) error {
318	if fs.Addr != nil {
319	if addrParts := strings.SplitN(*fs.Addr, "://", 2); len(addrParts) == 2 {
320	scheme := addrParts[0]
321	switch scheme {
322	case "ircs", "irc+insecure", "unix":
323	default:
324	return fmt.Errorf("unknown scheme %q (supported schemes: ircs, irc+insecure, unix)", scheme)
325	}
326	}
327	network.Addr = *fs.Addr
328	}
329	if fs.Name != nil {
330	network.Name = *fs.Name
331	}
332	if fs.Nick != nil {
333	network.Nick = *fs.Nick
334	}
335	if fs.Username != nil {
336	network.Username = *fs.Username
337	}
338	if fs.Pass != nil {
339	network.Pass = *fs.Pass
340	}
341	if fs.Realname != nil {
342	network.Realname = *fs.Realname
343	}
344	if fs.ConnectCommands != nil {
345	if len(fs.ConnectCommands) == 1 && fs.ConnectCommands[0] == "" {
346	network.ConnectCommands = nil
347	} else {
348	for _, command := range fs.ConnectCommands {
349	_, err := irc.ParseMessage(command)
350	if err != nil {
351	return fmt.Errorf("flag -connect-command must be a valid raw irc command string: %q: %v", command, err)
352	}
353	}
354	network.ConnectCommands = fs.ConnectCommands
355	}
356	}
357	return nil
358	}
359
360	func handleServiceNetworkCreate(dc *downstreamConn, params []string) error {
361	fs := newNetworkFlagSet()
362	if err := fs.Parse(params); err != nil {
363	return err
364	}
365	if fs.Addr == nil {
366	return fmt.Errorf("flag -addr is required")
367	}
368
369	record := &Network{
370	Addr: *fs.Addr,
371	Nick: dc.nick,
372	}
373	if err := fs.update(record); err != nil {
374	return err
375	}
376
377	network, err := dc.user.createNetwork(record)
378	if err != nil {
379	return fmt.Errorf("could not create network: %v", err)
380	}
381
382	sendServicePRIVMSG(dc, fmt.Sprintf("created network %q", network.GetName()))
383	return nil
384	}
385
386	func handleServiceNetworkStatus(dc *downstreamConn, params []string) error {
387	dc.user.forEachNetwork(func(net *network) {
388	var statuses []string
389	var details string
390	if uc := net.conn; uc != nil {
391	if dc.nick != uc.nick {
392	statuses = append(statuses, "connected as "+uc.nick)
393	} else {
394	statuses = append(statuses, "connected")
395	}
396	details = fmt.Sprintf("%v channels", len(uc.channels))
397	} else {
398	statuses = append(statuses, "disconnected")
399	if net.lastError != nil {
400	details = net.lastError.Error()
401	}
402	}
403
404	if net == dc.network {
405	statuses = append(statuses, "current")
406	}
407
408	name := net.GetName()
409	if name != net.Addr {
410	name = fmt.Sprintf("%v (%v)", name, net.Addr)
411	}
412
413	s := fmt.Sprintf("%v [%v]", name, strings.Join(statuses, ", "))
414	if details != "" {
415	s += ": " + details
416	}
417	sendServicePRIVMSG(dc, s)
418	})
419	return nil
420	}
421
422	func handleServiceNetworkUpdate(dc *downstreamConn, params []string) error {
423	if len(params) < 1 {
424	return fmt.Errorf("expected exactly one argument")
425	}
426
427	fs := newNetworkFlagSet()
428	if err := fs.Parse(params[1:]); err != nil {
429	return err
430	}
431
432	net := dc.user.getNetwork(params[0])
433	if net == nil {
434	return fmt.Errorf("unknown network %q", params[0])
435	}
436
437	record := net.Network // copy network record because we'll mutate it
438	if err := fs.update(&record); err != nil {
439	return err
440	}
441
442	network, err := dc.user.updateNetwork(&record)
443	if err != nil {
444	return fmt.Errorf("could not update network: %v", err)
445	}
446
447	sendServicePRIVMSG(dc, fmt.Sprintf("updated network %q", network.GetName()))
448	return nil
449	}
450
451	func handleServiceNetworkDelete(dc *downstreamConn, params []string) error {
452	if len(params) != 1 {
453	return fmt.Errorf("expected exactly one argument")
454	}
455
456	net := dc.user.getNetwork(params[0])
457	if net == nil {
458	return fmt.Errorf("unknown network %q", params[0])
459	}
460
461	if err := dc.user.deleteNetwork(net.ID); err != nil {
462	return err
463	}
464
465	sendServicePRIVMSG(dc, fmt.Sprintf("deleted network %q", net.GetName()))
466	return nil
467	}
468
469	func handleServiceCertfpGenerate(dc *downstreamConn, params []string) error {
470	fs := newFlagSet()
471	keyType := fs.String("key-type", "rsa", "key type to generate (rsa, ecdsa, ed25519)")
472	bits := fs.Int("bits", 3072, "size of key to generate, meaningful only for RSA")
473
474	if err := fs.Parse(params); err != nil {
475	return err
476	}
477
478	if len(fs.Args()) != 1 {
479	return errors.New("exactly one argument is required")
480	}
481
482	net := dc.user.getNetwork(fs.Arg(0))
483	if net == nil {
484	return fmt.Errorf("unknown network %q", fs.Arg(0))
485	}
486
487	var (
488	privKey crypto.PrivateKey
489	pubKey crypto.PublicKey
490	)
491	switch *keyType {
492	case "rsa":
493	key, err := rsa.GenerateKey(rand.Reader, *bits)
494	if err != nil {
495	return err
496	}
497	privKey = key
498	pubKey = key.Public()
499	case "ecdsa":
500	key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
501	if err != nil {
502	return err
503	}
504	privKey = key
505	pubKey = key.Public()
506	case "ed25519":
507	var err error
508	pubKey, privKey, err = ed25519.GenerateKey(rand.Reader)
509	if err != nil {
510	return err
511	}
512	}
513
514	// Using PKCS#8 allows easier extension for new key types.
515	privKeyBytes, err := x509.MarshalPKCS8PrivateKey(privKey)
516	if err != nil {
517	return err
518	}
519
520	notBefore := time.Now()
521	// Lets make a fair assumption nobody will use the same cert for more than 20 years...
522	notAfter := notBefore.Add(24 * time.Hour * 365 * 20)
523	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
524	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
525	if err != nil {
526	return err
527	}
528	cert := &x509.Certificate{
529	SerialNumber: serialNumber,
530	Subject: pkix.Name{CommonName: "soju auto-generated certificate"},
531	NotBefore: notBefore,
532	NotAfter: notAfter,
533	KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature,
534	ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
535	}
536	derBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, pubKey, privKey)
537	if err != nil {
538	return err
539	}
540
541	net.SASL.External.CertBlob = derBytes
542	net.SASL.External.PrivKeyBlob = privKeyBytes
543	net.SASL.Mechanism = "EXTERNAL"
544
545	if err := dc.srv.db.StoreNetwork(net.Username, &net.Network); err != nil {
546	return err
547	}
548
549	sendServicePRIVMSG(dc, "certificate generated")
550
551	sha1Sum := sha1.Sum(derBytes)
552	sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:]))
553	sha256Sum := sha256.Sum256(derBytes)
554	sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
555
556	return nil
557	}
558
559	func handleServiceCertfpFingerprints(dc *downstreamConn, params []string) error {
560	if len(params) != 1 {
561	return fmt.Errorf("expected exactly one argument")
562	}
563
564	net := dc.user.getNetwork(params[0])
565	if net == nil {
566	return fmt.Errorf("unknown network %q", params[0])
567	}
568
569	sha1Sum := sha1.Sum(net.SASL.External.CertBlob)
570	sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:]))
571	sha256Sum := sha256.Sum256(net.SASL.External.CertBlob)
572	sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
573	return nil
574	}
575
576	func handleServiceSASLSetPlain(dc *downstreamConn, params []string) error {
577	if len(params) != 3 {
578	return fmt.Errorf("expected exactly 3 arguments")
579	}
580
581	net := dc.user.getNetwork(params[0])
582	if net == nil {
583	return fmt.Errorf("unknown network %q", params[0])
584	}
585
586	net.SASL.Plain.Username = params[1]
587	net.SASL.Plain.Password = params[2]
588	net.SASL.Mechanism = "PLAIN"
589
590	if err := dc.srv.db.StoreNetwork(net.Username, &net.Network); err != nil {
591	return err
592	}
593
594	sendServicePRIVMSG(dc, "credentials saved")
595	return nil
596	}
597
598	func handleServiceSASLReset(dc *downstreamConn, params []string) error {
599	if len(params) != 1 {
600	return fmt.Errorf("expected exactly one argument")
601	}
602
603	net := dc.user.getNetwork(params[0])
604	if net == nil {
605	return fmt.Errorf("unknown network %q", params[0])
606	}
607
608	net.SASL.Plain.Username = ""
609	net.SASL.Plain.Password = ""
610	net.SASL.External.CertBlob = nil
611	net.SASL.External.PrivKeyBlob = nil
612	net.SASL.Mechanism = ""
613
614	if err := dc.srv.db.StoreNetwork(dc.user.Username, &net.Network); err != nil {
615	return err
616	}
617
618	sendServicePRIVMSG(dc, "credentials reset")
619	return nil
620	}
621
622	func handlePasswordChange(dc *downstreamConn, params []string) error {
623	if len(params) != 1 {
624	return fmt.Errorf("expected exactly one argument")
625	}
626
627	hashed, err := bcrypt.GenerateFromPassword([]byte(params[0]), bcrypt.DefaultCost)
628	if err != nil {
629	return fmt.Errorf("failed to hash password: %v", err)
630	}
631	if err := dc.user.updatePassword(string(hashed)); err != nil {
632	return err
633	}
634
635	sendServicePRIVMSG(dc, "password updated")
636	return nil
637	}
638
639	func handleUserCreate(dc *downstreamConn, params []string) error {
640	fs := newFlagSet()
641	username := fs.String("username", "", "")
642	password := fs.String("password", "", "")
643	admin := fs.Bool("admin", false, "")
644
645	if err := fs.Parse(params); err != nil {
646	return err
647	}
648	if *username == "" {
649	return fmt.Errorf("flag -username is required")
650	}
651	if *password == "" {
652	return fmt.Errorf("flag -password is required")
653	}
654
655	hashed, err := bcrypt.GenerateFromPassword([]byte(*password), bcrypt.DefaultCost)
656	if err != nil {
657	return fmt.Errorf("failed to hash password: %v", err)
658	}
659
660	user := &User{
661	Username: *username,
662	Password: string(hashed),
663	Admin: *admin,
664	}
665	if _, err := dc.srv.createUser(user); err != nil {
666	return fmt.Errorf("could not create user: %v", err)
667	}
668
669	sendServicePRIVMSG(dc, fmt.Sprintf("created user %q", *username))
670	return nil
671	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: