Context Navigation

source: code/trunk/service.go@ 332

Last change on this file since 332 was 329, checked in by delthas, 5 years ago

Add support for the user create admin service command

This adds support for user create, a new service command only accessible
to admin users. This lets users create other users on the fly and makes
soju start the user routine immediately; unlike sojuctl which currently
requires closing soju, creating the user, and starting soju again.

File size: 15.0 KB

Line
1	package soju
2
3	import (
4	"crypto"
5	"crypto/ecdsa"
6	"crypto/ed25519"
7	"crypto/elliptic"
8	"crypto/rand"
9	"crypto/rsa"
10	"crypto/sha1"
11	"crypto/sha256"
12	"crypto/x509"
13	"crypto/x509/pkix"
14	"encoding/hex"
15	"errors"
16	"flag"
17	"fmt"
18	"io/ioutil"
19	"math/big"
20	"strings"
21	"time"
22
23	"github.com/google/shlex"
24	"golang.org/x/crypto/bcrypt"
25	"gopkg.in/irc.v3"
26	)
27
28	const serviceNick = "BouncerServ"
29
30	var servicePrefix = &irc.Prefix{
31	Name: serviceNick,
32	User: serviceNick,
33	Host: serviceNick,
34	}
35
36	type serviceCommandSet map[string]*serviceCommand
37
38	type serviceCommand struct {
39	usage string
40	desc string
41	handle func(dc *downstreamConn, params []string) error
42	children serviceCommandSet
43	admin bool
44	}
45
46	func sendServiceNOTICE(dc *downstreamConn, text string) {
47	dc.SendMessage(&irc.Message{
48	Prefix: servicePrefix,
49	Command: "NOTICE",
50	Params: []string{dc.nick, text},
51	})
52	}
53
54	func sendServicePRIVMSG(dc *downstreamConn, text string) {
55	dc.SendMessage(&irc.Message{
56	Prefix: servicePrefix,
57	Command: "PRIVMSG",
58	Params: []string{dc.nick, text},
59	})
60	}
61
62	func handleServicePRIVMSG(dc *downstreamConn, text string) {
63	words, err := shlex.Split(text)
64	if err != nil {
65	sendServicePRIVMSG(dc, fmt.Sprintf("error: failed to parse command: %v", err))
66	return
67	}
68
69	cmd, params, err := serviceCommands.Get(words)
70	if err != nil {
71	sendServicePRIVMSG(dc, fmt.Sprintf(`error: %v (type "help" for a list of commands)`, err))
72	return
73	}
74	if cmd.admin && !dc.user.Admin {
75	sendServicePRIVMSG(dc, fmt.Sprintf(`error: you must be an admin to use this command`))
76	return
77	}
78
79	if err := cmd.handle(dc, params); err != nil {
80	sendServicePRIVMSG(dc, fmt.Sprintf("error: %v", err))
81	}
82	}
83
84	func (cmds serviceCommandSet) Get(params []string) (*serviceCommand, []string, error) {
85	if len(params) == 0 {
86	return nil, nil, fmt.Errorf("no command specified")
87	}
88
89	name := params[0]
90	params = params[1:]
91
92	cmd, ok := cmds[name]
93	if !ok {
94	for k := range cmds {
95	if !strings.HasPrefix(k, name) {
96	continue
97	}
98	if cmd != nil {
99	return nil, params, fmt.Errorf("command %q is ambiguous", name)
100	}
101	cmd = cmds[k]
102	}
103	}
104	if cmd == nil {
105	return nil, params, fmt.Errorf("command %q not found", name)
106	}
107
108	if len(params) == 0 \|\| len(cmd.children) == 0 {
109	return cmd, params, nil
110	}
111	return cmd.children.Get(params)
112	}
113
114	var serviceCommands serviceCommandSet
115
116	func init() {
117	serviceCommands = serviceCommandSet{
118	"help": {
119	usage: "[command]",
120	desc: "print help message",
121	handle: handleServiceHelp,
122	},
123	"network": {
124	children: serviceCommandSet{
125	"create": {
126	usage: "-addr <addr> [-name name] [-username username] [-pass pass] [-realname realname] [-nick nick] [-connect-command command]...",
127	desc: "add a new network",
128	handle: handleServiceNetworkCreate,
129	},
130	"status": {
131	desc: "show a list of saved networks and their current status",
132	handle: handleServiceNetworkStatus,
133	},
134	"update": {
135	usage: "[-addr addr] [-name name] [-username username] [-pass pass] [-realname realname] [-nick nick] [-connect-command command]...",
136	desc: "update a network",
137	handle: handleServiceNetworkUpdate,
138	},
139	"delete": {
140	usage: "<name>",
141	desc: "delete a network",
142	handle: handleServiceNetworkDelete,
143	},
144	},
145	},
146	"certfp": {
147	children: serviceCommandSet{
148	"generate": {
149	usage: "[-key-type rsa\|ecdsa\|ed25519] [-bits N] <network name>",
150	desc: "generate a new self-signed certificate, defaults to using RSA-3072 key",
151	handle: handleServiceCertfpGenerate,
152	},
153	"fingerprint": {
154	usage: "<network name>",
155	desc: "show fingerprints of certificate associated with the network",
156	handle: handleServiceCertfpFingerprints,
157	},
158	"reset": {
159	usage: "<network name>",
160	desc: "disable SASL EXTERNAL authentication and remove stored certificate",
161	handle: handleServiceCertfpReset,
162	},
163	},
164	},
165	"user": {
166	children: serviceCommandSet{
167	"create": {
168	usage: "-username <username> -password <password> [-admin]",
169	desc: "create a new soju user",
170	handle: handleUserCreate,
171	admin: true,
172	},
173	},
174	admin: true,
175	},
176	"change-password": {
177	usage: "<new password>",
178	desc: "change your password",
179	handle: handlePasswordChange,
180	},
181	}
182	}
183
184	func appendServiceCommandSetHelp(cmds serviceCommandSet, prefix []string, admin bool, l *[]string) {
185	for name, cmd := range cmds {
186	if cmd.admin && !admin {
187	continue
188	}
189	words := append(prefix, name)
190	if len(cmd.children) == 0 {
191	s := strings.Join(words, " ")
192	l = append(l, s)
193	} else {
194	appendServiceCommandSetHelp(cmd.children, words, admin, l)
195	}
196	}
197	}
198
199	func handleServiceHelp(dc *downstreamConn, params []string) error {
200	if len(params) > 0 {
201	cmd, rest, err := serviceCommands.Get(params)
202	if err != nil {
203	return err
204	}
205	words := params[:len(params)-len(rest)]
206
207	if len(cmd.children) > 0 {
208	var l []string
209	appendServiceCommandSetHelp(cmd.children, words, dc.user.Admin, &l)
210	sendServicePRIVMSG(dc, "available commands: "+strings.Join(l, ", "))
211	} else {
212	text := strings.Join(words, " ")
213	if cmd.usage != "" {
214	text += " " + cmd.usage
215	}
216	text += ": " + cmd.desc
217
218	sendServicePRIVMSG(dc, text)
219	}
220	} else {
221	var l []string
222	appendServiceCommandSetHelp(serviceCommands, nil, dc.user.Admin, &l)
223	sendServicePRIVMSG(dc, "available commands: "+strings.Join(l, ", "))
224	}
225	return nil
226	}
227
228	func newFlagSet() *flag.FlagSet {
229	fs := flag.NewFlagSet("", flag.ContinueOnError)
230	fs.SetOutput(ioutil.Discard)
231	return fs
232	}
233
234	type stringSliceFlag []string
235
236	func (v *stringSliceFlag) String() string {
237	return fmt.Sprint([]string(*v))
238	}
239
240	func (v *stringSliceFlag) Set(s string) error {
241	v = append(v, s)
242	return nil
243	}
244
245	// stringPtrFlag is a flag value populating a string pointer. This allows to
246	// disambiguate between a flag that hasn't been set and a flag that has been
247	// set to an empty string.
248	type stringPtrFlag struct {
249	ptr **string
250	}
251
252	func (f stringPtrFlag) String() string {
253	if *f.ptr == nil {
254	return ""
255	}
256	return **f.ptr
257	}
258
259	func (f stringPtrFlag) Set(s string) error {
260	*f.ptr = &s
261	return nil
262	}
263
264	type networkFlagSet struct {
265	*flag.FlagSet
266	Addr, Name, Nick, Username, Pass, Realname *string
267	ConnectCommands []string
268	}
269
270	func newNetworkFlagSet() *networkFlagSet {
271	fs := &networkFlagSet{FlagSet: newFlagSet()}
272	fs.Var(stringPtrFlag{&fs.Addr}, "addr", "")
273	fs.Var(stringPtrFlag{&fs.Name}, "name", "")
274	fs.Var(stringPtrFlag{&fs.Nick}, "nick", "")
275	fs.Var(stringPtrFlag{&fs.Username}, "username", "")
276	fs.Var(stringPtrFlag{&fs.Pass}, "pass", "")
277	fs.Var(stringPtrFlag{&fs.Realname}, "realname", "")
278	fs.Var((*stringSliceFlag)(&fs.ConnectCommands), "connect-command", "")
279	return fs
280	}
281
282	func (fs networkFlagSet) update(network Network) error {
283	if fs.Addr != nil {
284	if addrParts := strings.SplitN(*fs.Addr, "://", 2); len(addrParts) == 2 {
285	scheme := addrParts[0]
286	switch scheme {
287	case "ircs", "irc+insecure":
288	default:
289	return fmt.Errorf("unknown scheme %q (supported schemes: ircs, irc+insecure)", scheme)
290	}
291	}
292	network.Addr = *fs.Addr
293	}
294	if fs.Name != nil {
295	network.Name = *fs.Name
296	}
297	if fs.Nick != nil {
298	network.Nick = *fs.Nick
299	}
300	if fs.Username != nil {
301	network.Username = *fs.Username
302	}
303	if fs.Pass != nil {
304	network.Pass = *fs.Pass
305	}
306	if fs.Realname != nil {
307	network.Realname = *fs.Realname
308	}
309	if fs.ConnectCommands != nil {
310	if len(fs.ConnectCommands) == 1 && fs.ConnectCommands[0] == "" {
311	network.ConnectCommands = nil
312	} else {
313	for _, command := range fs.ConnectCommands {
314	_, err := irc.ParseMessage(command)
315	if err != nil {
316	return fmt.Errorf("flag -connect-command must be a valid raw irc command string: %q: %v", command, err)
317	}
318	}
319	network.ConnectCommands = fs.ConnectCommands
320	}
321	}
322	return nil
323	}
324
325	func handleServiceNetworkCreate(dc *downstreamConn, params []string) error {
326	fs := newNetworkFlagSet()
327	if err := fs.Parse(params); err != nil {
328	return err
329	}
330	if fs.Addr == nil {
331	return fmt.Errorf("flag -addr is required")
332	}
333
334	record := &Network{
335	Addr: *fs.Addr,
336	Nick: dc.nick,
337	}
338	if err := fs.update(record); err != nil {
339	return err
340	}
341
342	network, err := dc.user.createNetwork(record)
343	if err != nil {
344	return fmt.Errorf("could not create network: %v", err)
345	}
346
347	sendServicePRIVMSG(dc, fmt.Sprintf("created network %q", network.GetName()))
348	return nil
349	}
350
351	func handleServiceNetworkStatus(dc *downstreamConn, params []string) error {
352	dc.user.forEachNetwork(func(net *network) {
353	var statuses []string
354	var details string
355	if uc := net.conn; uc != nil {
356	if dc.nick != uc.nick {
357	statuses = append(statuses, "connected as "+uc.nick)
358	} else {
359	statuses = append(statuses, "connected")
360	}
361	details = fmt.Sprintf("%v channels", len(uc.channels))
362	} else {
363	statuses = append(statuses, "disconnected")
364	if net.lastError != nil {
365	details = net.lastError.Error()
366	}
367	}
368
369	if net == dc.network {
370	statuses = append(statuses, "current")
371	}
372
373	name := net.GetName()
374	if name != net.Addr {
375	name = fmt.Sprintf("%v (%v)", name, net.Addr)
376	}
377
378	s := fmt.Sprintf("%v [%v]", name, strings.Join(statuses, ", "))
379	if details != "" {
380	s += ": " + details
381	}
382	sendServicePRIVMSG(dc, s)
383	})
384	return nil
385	}
386
387	func handleServiceNetworkUpdate(dc *downstreamConn, params []string) error {
388	if len(params) < 1 {
389	return fmt.Errorf("expected exactly one argument")
390	}
391
392	fs := newNetworkFlagSet()
393	if err := fs.Parse(params[1:]); err != nil {
394	return err
395	}
396
397	net := dc.user.getNetwork(params[0])
398	if net == nil {
399	return fmt.Errorf("unknown network %q", params[0])
400	}
401
402	record := net.Network // copy network record because we'll mutate it
403	if err := fs.update(&record); err != nil {
404	return err
405	}
406
407	network, err := dc.user.updateNetwork(&record)
408	if err != nil {
409	return fmt.Errorf("could not update network: %v", err)
410	}
411
412	sendServicePRIVMSG(dc, fmt.Sprintf("updated network %q", network.GetName()))
413	return nil
414	}
415
416	func handleServiceNetworkDelete(dc *downstreamConn, params []string) error {
417	if len(params) != 1 {
418	return fmt.Errorf("expected exactly one argument")
419	}
420
421	net := dc.user.getNetwork(params[0])
422	if net == nil {
423	return fmt.Errorf("unknown network %q", params[0])
424	}
425
426	if err := dc.user.deleteNetwork(net.ID); err != nil {
427	return err
428	}
429
430	sendServicePRIVMSG(dc, fmt.Sprintf("deleted network %q", net.GetName()))
431	return nil
432	}
433
434	func handleServiceCertfpGenerate(dc *downstreamConn, params []string) error {
435	fs := newFlagSet()
436	keyType := fs.String("key-type", "rsa", "key type to generate (rsa, ecdsa, ed25519)")
437	bits := fs.Int("bits", 3072, "size of key to generate, meaningful only for RSA")
438
439	if err := fs.Parse(params); err != nil {
440	return err
441	}
442
443	if len(fs.Args()) != 1 {
444	return errors.New("exactly one argument is required")
445	}
446
447	net := dc.user.getNetwork(fs.Arg(0))
448	if net == nil {
449	return fmt.Errorf("unknown network %q", fs.Arg(0))
450	}
451
452	var (
453	privKey crypto.PrivateKey
454	pubKey crypto.PublicKey
455	)
456	switch *keyType {
457	case "rsa":
458	key, err := rsa.GenerateKey(rand.Reader, *bits)
459	if err != nil {
460	return err
461	}
462	privKey = key
463	pubKey = key.Public()
464	case "ecdsa":
465	key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
466	if err != nil {
467	return err
468	}
469	privKey = key
470	pubKey = key.Public()
471	case "ed25519":
472	var err error
473	pubKey, privKey, err = ed25519.GenerateKey(rand.Reader)
474	if err != nil {
475	return err
476	}
477	}
478
479	// Using PKCS#8 allows easier extension for new key types.
480	privKeyBytes, err := x509.MarshalPKCS8PrivateKey(privKey)
481	if err != nil {
482	return err
483	}
484
485	notBefore := time.Now()
486	// Lets make a fair assumption nobody will use the same cert for more than 20 years...
487	notAfter := notBefore.Add(24 * time.Hour * 365 * 20)
488	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
489	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
490	if err != nil {
491	return err
492	}
493	cert := &x509.Certificate{
494	SerialNumber: serialNumber,
495	Subject: pkix.Name{CommonName: "soju auto-generated certificate"},
496	NotBefore: notBefore,
497	NotAfter: notAfter,
498	KeyUsage: x509.KeyUsageKeyEncipherment \| x509.KeyUsageDigitalSignature,
499	ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
500	}
501	derBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, pubKey, privKey)
502	if err != nil {
503	return err
504	}
505
506	net.SASL.External.CertBlob = derBytes
507	net.SASL.External.PrivKeyBlob = privKeyBytes
508	net.SASL.Mechanism = "EXTERNAL"
509
510	if err := dc.srv.db.StoreNetwork(net.Username, &net.Network); err != nil {
511	return err
512	}
513
514	sendServicePRIVMSG(dc, "certificate generated")
515
516	sha1Sum := sha1.Sum(derBytes)
517	sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:]))
518	sha256Sum := sha256.Sum256(derBytes)
519	sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
520
521	return nil
522	}
523
524	func handleServiceCertfpFingerprints(dc *downstreamConn, params []string) error {
525	if len(params) != 1 {
526	return fmt.Errorf("expected exactly one argument")
527	}
528
529	net := dc.user.getNetwork(params[0])
530	if net == nil {
531	return fmt.Errorf("unknown network %q", params[0])
532	}
533
534	sha1Sum := sha1.Sum(net.SASL.External.CertBlob)
535	sendServicePRIVMSG(dc, "SHA-1 fingerprint: "+hex.EncodeToString(sha1Sum[:]))
536	sha256Sum := sha256.Sum256(net.SASL.External.CertBlob)
537	sendServicePRIVMSG(dc, "SHA-256 fingerprint: "+hex.EncodeToString(sha256Sum[:]))
538	return nil
539	}
540
541	func handleServiceCertfpReset(dc *downstreamConn, params []string) error {
542	if len(params) != 1 {
543	return fmt.Errorf("expected exactly one argument")
544	}
545
546	net := dc.user.getNetwork(params[0])
547	if net == nil {
548	return fmt.Errorf("unknown network %q", params[0])
549	}
550
551	net.SASL.External.CertBlob = nil
552	net.SASL.External.PrivKeyBlob = nil
553
554	if net.SASL.Mechanism == "EXTERNAL" {
555	net.SASL.Mechanism = ""
556	}
557	if err := dc.srv.db.StoreNetwork(dc.user.Username, &net.Network); err != nil {
558	return err
559	}
560
561	sendServicePRIVMSG(dc, "certificate reset")
562	return nil
563	}
564
565	func handlePasswordChange(dc *downstreamConn, params []string) error {
566	if len(params) != 1 {
567	return fmt.Errorf("expected exactly one argument")
568	}
569
570	hashed, err := bcrypt.GenerateFromPassword([]byte(params[0]), bcrypt.DefaultCost)
571	if err != nil {
572	return fmt.Errorf("failed to hash password: %v", err)
573	}
574	if err := dc.user.updatePassword(string(hashed)); err != nil {
575	return err
576	}
577
578	sendServicePRIVMSG(dc, "password updated")
579	return nil
580	}
581
582	func handleUserCreate(dc *downstreamConn, params []string) error {
583	fs := newFlagSet()
584	username := fs.String("username", "", "")
585	password := fs.String("password", "", "")
586	admin := fs.Bool("admin", false, "")
587
588	if err := fs.Parse(params); err != nil {
589	return err
590	}
591	if *username == "" {
592	return fmt.Errorf("flag -username is required")
593	}
594	if *password == "" {
595	return fmt.Errorf("flag -password is required")
596	}
597
598	hashed, err := bcrypt.GenerateFromPassword([]byte(*password), bcrypt.DefaultCost)
599	if err != nil {
600	return fmt.Errorf("failed to hash password: %v", err)
601	}
602
603	user := &User{
604	Username: *username,
605	Password: string(hashed),
606	Admin: *admin,
607	}
608	if _, err := dc.srv.createUser(user); err != nil {
609	return fmt.Errorf("could not create user: %v", err)
610	}
611
612	sendServicePRIVMSG(dc, fmt.Sprintf("created user %q", *username))
613	return nil
614	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: