Context Navigation

service.go@ 328

Last change on this file since 328 was 328, checked in by delthas, 5 years ago

Add support for admin-restricted service commands

This is preparatory work for creating new users from a service command.

This adds support for specifying specific service commands as
admin-restricted. Only admin users can run these commands. These
commands won't show up in the help when run from a non-admin
user, unless the user is requesting help for that specific command.

File size: 13.9 KB

Line
1	package soju
2
3	import (
4	"crypto"
5	"crypto/ecdsa"
6	"crypto/ed25519"
7	"crypto/elliptic"
8	"crypto/rand"
9	"crypto/rsa"
10	"crypto/sha1"
11	"crypto/sha256"
12	"crypto/x509"
13	"crypto/x509/pkix"
14	"encoding/hex"
15	"errors"
16	"flag"
17	"fmt"
18	"io/ioutil"
19	"math/big"
20	"strings"
21	"time"
22
23	"github.com/google/shlex"
24	"golang.org/x/crypto/bcrypt"
25	"gopkg.in/irc.v3"
26	)
27
28	const serviceNick = "BouncerServ"
29
30	var servicePrefix = &irc.Prefix{
31	Name: serviceNick,
32	User: serviceNick,
33	Host: serviceNick,
34	}
35
36	type serviceCommandSet map[string]*serviceCommand
37
38	type serviceCommand struct {
39	usage string
40	desc string
41	handle func(dc *downstreamConn, params []string) error
42	children serviceCommandSet
43	admin bool
44	}
45
46	func sendServiceNOTICE(dc *downstreamConn, text string) {
47	dc.SendMessage(&irc.Message{
48	Prefix: servicePrefix,
49	Command: "NOTICE",
50	Params: []string{dc.nick, text},
51	})
52	}
53
54	func sendServicePRIVMSG(dc *downstreamConn, text string) {
55	dc.SendMessage(&irc.Message{
56	Prefix: servicePrefix,
57	Command: "PRIVMSG",
58	Params: []string{dc.nick, text},
59	})
60	}
61
62	func handleServicePRIVMSG(dc *downstreamConn, text string) {
63	words, err := shlex.Split(text)
64	if err != nil {
65	sendServicePRIVMSG(dc, fmt.Sprintf("error: failed to parse command: %v", err))
66	return
67	}
68
69	cmd, params, err := serviceCommands.Get(words)
70	if err != nil {
71	sendServicePRIVMSG(dc, fmt.Sprintf(`error: %v (type "help" for a list of commands)`, err))
72	return
73	}
74	if cmd.admin && !dc.user.Admin {
75	sendServicePRIVMSG(dc, fmt.Sprintf(`error: you must be an admin to use this command`))
76	return
77	}
78
79	if err := cmd.handle(dc, params); err != nil {
80	sendServicePRIVMSG(dc, fmt.Sprintf("error: %v", err))
81	}
82	}
83
84	func (cmds serviceCommandSet) Get(params []string) (*serviceCommand, []string, error) {
85	if len(params) == 0 {
86	return nil, nil, fmt.Errorf("no command specified")
87	}
88
89	name := params[0]
90	params = params[1:]
91
92	cmd, ok := cmds[name]
93	if !ok {
94	for k := range cmds {
95	if !strings.HasPrefix(k, name) {
96	continue
97	}
98	if cmd != nil {
99	return nil, params, fmt.Errorf("command %q is ambiguous", name)
100	}
101	cmd = cmds[k]
102	}
103	}
104	if cmd == nil {
105	return nil, params, fmt.Errorf("command %q not found", name)
106	}
107
108	if len(params) == 0 \|\| len(cmd.children) == 0 {
109	return cmd, params, nil
110	}
111	return cmd.children.Get(params)
112	}
113
114	var serviceCommands serviceCommandSet
115
116	func init() {
117	serviceCommands = serviceCommandSet{
118	"help": {
119	usage: "[command]",
120	desc: "print help message",
121	handle: handleServiceHelp,
122	},
123	"network": {
124	children: serviceCommandSet{
125	"create": {
126	usage: "-addr <addr> [-name name] [-username username] [-pass pass] [-realname realname] [-nick nick] [-connect-command command]...",
127	desc: "add a new network",
128	handle: handleServiceNetworkCreate,
129	},
130	"status": {
131	desc: "show a list of saved networks and their current status",
132	handle: handleServiceNetworkStatus,
133	},
134	"update": {
135	usage: "[-addr addr] [-name name] [-username username] [-pass pass] [-realname realname] [-nick nick] [-connect-command command]...",
136	desc: "update a network",
137	handle: handleServiceNetworkUpdate,
138	},
139	"delete": {
140	usage: "<name>",
141	desc: "delete a network",
142	handle: handleServiceNetworkDelete,
143	},
144	},
145	},
146	"certfp": {
147	children: serviceCommandSet{
148	"generate": {
149	usage: "[-key-type rsa\|ecdsa\|ed25519] [-bits N] <network name>",
150	desc: "generate a new self-signed certificate, defaults to using RSA-3072 key",
151	handle: handleServiceCertfpGenerate,
152	},
153	"fingerprint": {
154	usage: "<network name>",
155	desc: "show fingerprints of certificate associated with the network",
156	handle: handleServiceCertfpFingerprints,
157	},
158	"reset": {
159	usage: "<network name>",
160	desc: "disable SASL EXTERNAL authentication and remove stored certificate",
161	handle: handleServiceCertfpReset,
162	},
163	},
164	},
165	"change-password": {
166	usage: "<new password>",
167	desc: "change your password",
168	handle: handlePasswordChange,
169	},
170	}
171	}
172
173	func appendServiceCommandSetHelp(cmds serviceCommandSet, prefix []string, admin bool, l *[]string) {
174	for name, cmd := range cmds {
175	if cmd.admin && !admin {
176	continue
177	}
178	words := append(prefix, name)
179	if len(cmd.children) == 0 {
180	s := strings.Join(words, " ")
181	l = append(l, s)
182	} else {
183	appendServiceCommandSetHelp(cmd.children, words, admin, l)
184	}
185	}
186	}
187
188	func handleServiceHelp(dc *downstreamConn, params []string) error {
189	if len(params) > 0 {
190	cmd, rest, err := serviceCommands.Get(params)
191	if err != nil {
192	return err
193	}
194	words := params[:len(params)-len(rest)]
195
196	if len(cmd.children) > 0 {
197	var l []string
198	appendServiceCommandSetHelp(cmd.children, words, dc.user.Admin, &l)
199	sendServicePRIVMSG(dc, "available commands: "+strings.Join(l, ", "))
200	} else {
201	text := strings.Join(words, " ")
202	if cmd.usage != "" {
203	text += " " + cmd.usage
204	}
205	text += ": " + cmd.desc
206
207	sendServicePRIVMSG(dc, text)
208	}
209	} else {
210	var l []string
211	appendServiceCommandSetHelp(serviceCommands, nil, dc.user.Admin, &l)
212	sendServicePRIVMSG(dc, "available commands: "+strings.Join(l, ", "))
213	}
214	return nil
215	}
216
217	func newFlagSet() *flag.FlagSet {
218	fs := flag.NewFlagSet("", flag.ContinueOnError)
219	fs.SetOutput(ioutil.Discard)
220	return fs
221	}
222
223	type stringSliceFlag []string
224
225	func (v *stringSliceFlag) String() string {
226	return fmt.Sprint([]string(*v))
227	}
228
229	func (v *stringSliceFlag) Set(s string) error {
230	v = append(v, s)
231	return nil
232	}
233
234	// stringPtrFlag is a flag value populating a string pointer. This allows to
235	// disambiguate between a flag that hasn't been set and a flag that has been
236	// set to an empty string.
237	type stringPtrFlag struct {
238	ptr **string
239	}
240
241	func (f stringPtrFlag) String() string {
242	if *f.ptr == nil {
243	return ""
244	}
245	return **f.ptr
246	}
247
248	func (f stringPtrFlag) Set(s string) error {
249	*f.ptr = &s
250	return nil
251	}
252
253	type networkFlagSet struct {
254	*flag.FlagSet
255	Addr, Name, Nick, Username, Pass, Realname *string
256	ConnectCommands []string
257	}
258
259	func newNetworkFlagSet() *networkFlagSet {
260	fs := &networkFlagSet{FlagSet: newFlagSet()}
261	fs.Var(stringPtrFlag{&fs.Addr}, "addr", "")
262	fs.Var(stringPtrFlag{&fs.Name}, "name", "")
263	fs.Var(stringPtrFlag{&fs.Nick}, "nick", "")
264	fs.Var(stringPtrFlag{&fs.Username}, "username", "")
265	fs.Var(stringPtrFlag{&fs.Pass}, "pass", "")
266	fs.Var(stringPtrFlag{&fs.Realname}, "realname", "")
267	fs.Var((*stringSliceFlag)(&fs.ConnectCommands), "connect-command", "")
268	return fs
269	}
270
271	func (fs networkFlagSet) update(network Network) error {
272	if fs.Addr != nil {
273	if addrParts := strings.SplitN(*fs.Addr, "://", 2); len(addrParts) == 2 {
274	scheme := addrParts[0]
275	switch scheme {
276	case "ircs", "irc+insecure":
277	default:
278	return fmt.Errorf("unknown scheme %q (supported schemes: ircs, irc+insecure)", scheme)
279	}
280	}
281	network.Addr = *fs.Addr
282	}
283	if fs.Name != nil {
284	network.Name = *fs.Name
285	}
286	if fs.Nick != nil {
287	network.Nick = *fs.Nick
288	}
289	if fs.Username != nil {
290	network.Username = *fs.Username
291	}
292	if fs.Pass != nil {
293	network.Pass = *fs.Pass
294	}
295	if fs.Realname != nil {
296	network.Realname = *fs.Realname
297	}
298	if fs.ConnectCommands != nil {
299	if len(fs.ConnectCommands) == 1 && fs.ConnectCommands[0] == "" {
300	network.ConnectCommands = nil
301	} else {
302	for _, command := range fs.ConnectCommands {
303	_, err := irc.ParseMessage(command)
304	if err != nil {
305	return fmt.Errorf("flag -connect-command must be a valid raw irc command string: %q: %v", command, err)
306	}
307	}
308	network.ConnectCommands = fs.ConnectCommands
309	}
310	}
311	return nil
312	}
313
314	func handleServiceNetworkCreate(dc *downstreamConn, params []string) error {
315	fs := newNetworkFlagSet()
316	if err := fs.Parse(params); err != nil {
317	return err
318	}
319	if fs.Addr == nil {
320	return fmt.Errorf("flag -addr is required")
321	}
322
323	record := &Network{
324	Addr: *fs.Addr,
325	Nick: dc.nick,
326	}
327	if err := fs.update(record); err != nil {
328	return err
329	}
330
331	network, err := dc.user.createNetwork(record)
332	if err != nil {
333	return fmt.Errorf("could not create network: %v", err)
334	}
335
336	sendServicePRIVMSG(dc, fmt.Sprintf("created network %q", network.GetName()))
337	return nil
338	}
339
340	func handleServiceNetworkStatus(dc *downstreamConn, params []string) error {
341	dc.user.forEachNetwork(func(net *network) {
342	var statuses []string
343	var details string
344	if uc := net.conn; uc != nil {
345	if dc.nick != uc.nick {
346	statuses = append(statuses, "connected as "+uc.nick)
347	} else {
348	statuses = append(statuses, "connected")
349	}
350	details = fmt.Sprintf("%v channels", len(uc.channels))
351	} else {
352	statuses = append(statuses, "disconnected")
353	if net.lastError != nil {
354	details = net.lastError.Error()
355	}
356	}
357
358	if net == dc.network {
359	statuses = append(statuses, "current")
360	}
361
362	name := net.GetName()
363	if name != net.Addr {
364	name = fmt.Sprintf("%v (%v)", name, net.Addr)
365	}
366
367	s := fmt.Sprintf("%v [%v]", name, strings.Join(statuses, ", "))
368	if details != "" {
369	s += ": " + details
370	}
371	sendServicePRIVMSG(dc, s)
372	})
373	return nil
374	}
375
376	func handleServiceNetworkUpdate(dc *downstreamConn, params []string) error {
377	if len(params) < 1 {
378	return fmt.Errorf("expected exactly one argument")
379	}
380
381	fs := newNetworkFlagSet()
382	if err := fs.Parse(params[1:]); err != nil {
383	return err
384	}
385
386	net := dc.user.getNetwork(params[0])
387	if net == nil {
388	return fmt.Errorf("unknown network %q", params[0])
389	}
390
391	record := net.Network // copy network record because we'll mutate it
392	if err := fs.update(&record); err != nil {
393	return err
394	}
395
396	network, err := dc.user.updateNetwork(&record)
397	if err != nil {
398	return fmt.Errorf("could not update network: %v", err)
399	}
400
401	sendServicePRIVMSG(dc, fmt.Sprintf("updated network %q", network.GetName()))
402	return nil
403	}
404
405	func handleServiceNetworkDelete(dc *downstreamConn, params []string) error {
406	if len(params) != 1 {
407	return fmt.Errorf("expected exactly one argument")
408	}
409
410	net := dc.user.getNetwork(params[0])
411	if net == nil {
412	return fmt.Errorf("unknown network %q", params[0])
413	}
414
415	if err := dc.user.deleteNetwork(net.ID); err != nil {
416	return err
417	}
418
419	sendServicePRIVMSG(dc, fmt.Sprintf("deleted network %q", net.GetName()))
420	return nil
421	}
422
423	func handleServiceCertfpGenerate(dc *downstreamConn, params []string) error {
424	fs := newFlagSet()
425	keyType := fs.String("key-type", "rsa", "key type to generate (rsa, ecdsa, ed25519)")
426	bits := fs.Int("bits", 3072, "size of key to generate, meaningful only for RSA")
427
428	if err := fs.Parse(params); err != nil {
429	return err
430	}
431
432	if len(fs.Args()) != 1 {
433	return errors.New("exactly one argument is required")
434	}
435
436	net := dc.user.getNetwork(fs.Arg(0))
437	if net == nil {
438	return fmt.Errorf("unknown network %q", fs.Arg(0))
439	}
440
441	var (
442	privKey crypto.PrivateKey
443	pubKey crypto.PublicKey
444	)
445	switch *keyType {
446	case "rsa":
447	key, err := rsa.GenerateKey(rand.Reader, *bits)
448	if err != nil {
449	return err
450	}
451	privKey = key
452	pubKey = key.Public()
453	case "ecdsa":
454	key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
455	if err != nil {
456	return err
457	}
458	privKey = key
459	pubKey = key.Public()
460	case "ed25519":
461	var err error
462	pubKey, privKey, err = ed25519.GenerateKey(rand.Reader)
463	if err != nil {
464	return err
465	}
466	}
467
468	// Using PKCS#8 allows easier extension for new key types.
469	privKeyBytes, err := x509.MarshalPKCS8PrivateKey(privKey)
470	if err != nil {
471	return err
472	}
473
474	notBefore := time.Now()
475	// Lets make a fair assumption nobody will use the same cert for more than 20 years...
476	notAfter := notBefore.Add(24 * time.Hour * 365 * 20)
477	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
478	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
479	if err != nil {
480	return err
481	}
482	cert := &x509.Certificate{
483	SerialNumber: serialNumber,
484	Subject: pkix.Name{CommonName: "soju auto-generated certificate"},
485	NotBefore: notBefore,
486	NotAfter: notAfter,
487	KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature,
488	ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
489	}
490	derBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, pubKey, privKey)
491	if err != nil {
492	return err
493	}
494
495	net.SASL.External.CertBlob = derBytes
496	net.SASL.External.PrivKeyBlob = privKeyBytes
497	net.SASL.Mechanism = "EXTERNAL"
498
499	if err := dc.srv.db.StoreNetwork(net.Username, &net.Network); err != nil {
500	return err
501	}
502
503	sendServicePRIVMSG(dc, "certificate generated")
504
505	sha1Sum := sha1.Sum(derBytes)
506	sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:]))
507	sha256Sum := sha256.Sum256(derBytes)
508	sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
509
510	return nil
511	}
512
513	func handleServiceCertfpFingerprints(dc *downstreamConn, params []string) error {
514	if len(params) != 1 {
515	return fmt.Errorf("expected exactly one argument")
516	}
517
518	net := dc.user.getNetwork(params[0])
519	if net == nil {
520	return fmt.Errorf("unknown network %q", params[0])
521	}
522
523	sha1Sum := sha1.Sum(net.SASL.External.CertBlob)
524	sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:]))
525	sha256Sum := sha256.Sum256(net.SASL.External.CertBlob)
526	sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
527	return nil
528	}
529
530	func handleServiceCertfpReset(dc *downstreamConn, params []string) error {
531	if len(params) != 1 {
532	return fmt.Errorf("expected exactly one argument")
533	}
534
535	net := dc.user.getNetwork(params[0])
536	if net == nil {
537	return fmt.Errorf("unknown network %q", params[0])
538	}
539
540	net.SASL.External.CertBlob = nil
541	net.SASL.External.PrivKeyBlob = nil
542
543	if net.SASL.Mechanism == "EXTERNAL" {
544	net.SASL.Mechanism = ""
545	}
546	if err := dc.srv.db.StoreNetwork(dc.user.Username, &net.Network); err != nil {
547	return err
548	}
549
550	sendServicePRIVMSG(dc, "certificate reset")
551	return nil
552	}
553
554	func handlePasswordChange(dc *downstreamConn, params []string) error {
555	if len(params) != 1 {
556	return fmt.Errorf("expected exactly one argument")
557	}
558
559	hashed, err := bcrypt.GenerateFromPassword([]byte(params[0]), bcrypt.DefaultCost)
560	if err != nil {
561	return fmt.Errorf("failed to hash password: %v", err)
562	}
563	if err := dc.user.updatePassword(string(hashed)); err != nil {
564	return err
565	}
566
567	sendServicePRIVMSG(dc, "password updated")
568	return nil
569	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: code/trunk/service.go@ 328

Download in other formats: