From 2e1ddeb6547e140e9651231fedcd00e8ee4b1ccd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?louiz=E2=80=99?= Date: Sun, 14 Jun 2020 22:54:42 +0200 Subject: Implement SASL plain authentication --- src/database/database.hpp | 4 +- src/irc/capability.hpp | 9 ++ src/irc/irc_client.cpp | 118 +++++++++++++++++++--- src/irc/irc_client.hpp | 20 +++- src/irc/sasl.hpp | 9 ++ src/utils/base64.cpp | 19 ++++ src/utils/base64.hpp | 10 ++ src/xmpp/biboumi_adhoc_commands.cpp | 16 +++ tests/end_to_end/__main__.py | 2 + tests/end_to_end/scenarios/sasl.py | 34 +++++++ tests/end_to_end/scenarios/simple_channel_join.py | 1 - tests/end_to_end/sequences.py | 18 ++-- 12 files changed, 235 insertions(+), 25 deletions(-) create mode 100644 src/irc/capability.hpp create mode 100644 src/irc/sasl.hpp create mode 100644 src/utils/base64.cpp create mode 100644 src/utils/base64.hpp create mode 100644 tests/end_to_end/scenarios/sasl.py diff --git a/src/database/database.hpp b/src/database/database.hpp index a53f87b..de1df49 100644 --- a/src/database/database.hpp +++ b/src/database/database.hpp @@ -43,6 +43,8 @@ class Database struct Nick: Column { static constexpr auto name = "nick_"; }; + struct SaslPassword: Column { static constexpr auto name = "saslpassword_"; }; + struct Pass: Column { static constexpr auto name = "pass_"; }; struct Ports: Column { static constexpr auto name = "ports_"; @@ -95,7 +97,7 @@ class Database using GlobalOptionsTable = Table; using GlobalOptions = GlobalOptionsTable::RowType; - using IrcServerOptionsTable = Table; + using IrcServerOptionsTable = Table; using IrcServerOptions = IrcServerOptionsTable::RowType; using IrcChannelOptionsTable = Table; diff --git a/src/irc/capability.hpp b/src/irc/capability.hpp new file mode 100644 index 0000000..55ccb0c --- /dev/null +++ b/src/irc/capability.hpp @@ -0,0 +1,9 @@ +#pragma once + +#include + +struct Capability +{ + std::function on_ack; + std::function on_nack; +}; diff --git a/src/irc/irc_client.cpp b/src/irc/irc_client.cpp index de38d42..183a9d8 100644 --- a/src/irc/irc_client.cpp +++ b/src/irc/irc_client.cpp @@ -5,6 +5,7 @@ #include #include #include +#include #include #include @@ -81,6 +82,11 @@ static const std::unordered_mapsend_message({"CAP", {"REQ", "multi-prefix"}}); - this->send_message({"CAP", {"END"}}); + this->send_gateway_message("Connected to IRC server"s + (this->use_tls ? " (encrypted)": "") + "."); + + this->capabilities["multi-prefix"] = {[]{}, []{}}; #ifdef USE_DATABASE auto options = Database::get_irc_server_options(this->bridge.get_bare_jid(), this->get_hostname()); - if (!options.col().empty()) + + const auto& sasl_password = options.col(); + const auto& server_password = options.col(); + + if (!server_password.empty()) this->send_pass_command(options.col()); + + if (!sasl_password.empty()) + { + this->capabilities["sasl"] = { + [this] + { + this->send_message({"AUTHENTICATE", {"PLAIN"}}); + log_warning("negociating SASL now..."); + }, + [] + { + log_warning("SASL not supported by the server, disconnecting."); + } + }; + this->sasl_state = SaslState::needed; + } #endif - this->send_nick_command(this->current_nick); + { + for (const auto &pair : this->capabilities) + this->send_message({ "CAP", {"REQ", pair.first}}); + } + this->send_nick_command(this->current_nick); #ifdef USE_DATABASE if (Config::get("realname_customization", "true") == "true") { @@ -298,9 +329,6 @@ void IrcClient::on_connected() #else this->send_user_command(this->username, this->realname); #endif - this->send_gateway_message("Connected to IRC server"s + (this->use_tls ? " (encrypted)": "") + "."); - this->send_pending_data(); - this->bridge.on_irc_client_connected(this->get_hostname()); } void IrcClient::on_connection_close(const std::string& error_msg) @@ -371,12 +399,14 @@ void IrcClient::parse_in_buffer(const size_t) { const auto& limits = it->second.second; // Check that the Message is well formed before actually calling - // the callback. limits.first is the min number of arguments, - // second is the max - if (message.arguments.size() < limits.first || - (limits.second > 0 && message.arguments.size() > limits.second)) + // the callback. + const auto args_size = message.arguments.size(); + const auto min = limits.first; + const auto max = limits.second; + if (args_size < min || + (max > 0 && args_size > max)) log_warning("Invalid number of arguments for IRC command “", message.command, - "”: ", message.arguments.size()); + "”: ", args_size); else { const auto& cb = it->second.first; @@ -1266,7 +1296,7 @@ void IrcClient::on_unknown_message(const IrcMessage& message) return ; std::string from = message.prefix; std::stringstream ss; - for (auto it = message.arguments.begin() + 1; it != message.arguments.end(); ++it) + for (auto it = std::next(message.arguments.begin()); it != message.arguments.end(); ++it) { ss << *it; if (it + 1 != message.arguments.end()) @@ -1299,3 +1329,65 @@ long int IrcClient::get_throttle_limit() const return 10; #endif } + +void IrcClient::on_cap(const IrcMessage &message) +{ + const auto& sub_command = message.arguments[1]; + const auto& cap = message.arguments[2]; + auto it = this->capabilities.find(cap); + if (it == this->capabilities.end()) + { + log_warning("Received a CAP message for something we didn’t ask, or that we already handled."); + return; + } + Capability& capability = it->second; + if (sub_command == "ACK") + capability.on_ack(); + else if (sub_command == "NACK") + capability.on_nack(); + this->capabilities.erase(it); + this->cap_end(); +} + +void IrcClient::on_authenticate(const IrcMessage &) +{ + if (this->sasl_state == SaslState::unneeded) + { + log_warning("Received an AUTHENTICATE command but we don’t intend to authenticate…"); + return; + } +#ifdef USE_DATABASE + auto options = Database::get_irc_server_options(this->bridge.get_bare_jid(), + this->get_hostname()); + const auto auth_string = '\0' + options.col() + '\0' + options.col(); + const auto base64_auth_string = base64::encode(auth_string); + this->send_message({"AUTHENTICATE", {base64_auth_string}}); +#endif +} + +void IrcClient::on_sasl_success(const IrcMessage &) +{ + this->sasl_state = SaslState::success; + this->cap_end(); +} + +void IrcClient::on_sasl_login(const IrcMessage &message) +{ + const auto& login = message.arguments[2]; + std::string text = "Your are now logged in as " + login; + if (message.arguments.size() > 3) + text = message.arguments[3]; + this->bridge.send_xmpp_message(this->hostname, message.prefix, text); +} + +void IrcClient::cap_end() +{ + if (!this->capabilities.empty()) + return; + // If we are currently authenticating through sasl, finish that before sending CAP END + if (this->sasl_state == SaslState::needed) + return; + + this->send_message({"CAP", {"END"}}); + this->bridge.on_irc_client_connected(this->get_hostname()); +} diff --git a/src/irc/irc_client.hpp b/src/irc/irc_client.hpp index cfb3d21..e2ad8b9 100644 --- a/src/irc/irc_client.hpp +++ b/src/irc/irc_client.hpp @@ -1,8 +1,9 @@ #pragma once - #include #include +#include +#include #include #include @@ -231,6 +232,17 @@ public: * The IRC server is confirming that the invitation has been forwarded */ void on_invited(const IrcMessage& message); + /** + * The IRC server sends a CAP message, as part of capabilities negociation. It could be a ACK, + * NACK, or something else + */ + void on_cap(const IrcMessage& message); +private: + void cap_end(); +public: + void on_authenticate(const IrcMessage& message); + void on_sasl_success(const IrcMessage& message); + void on_sasl_login(const IrcMessage& message); /** * The channel has been completely joined (self presence, topic, all names * received etc), send the self presence and topic to the XMPP user. @@ -359,6 +371,12 @@ private: * has been established, we are authentified and we have a nick) */ bool welcomed; + /** + * Whether or not we are trying to authenticate using sasl. If this is true we need to wait for a + * successful auth + */ + SaslState sasl_state{SaslState::unneeded}; + std::map capabilities; /** * See http://www.irc.org/tech_docs/draft-brocklesby-irc-isupport-03.txt section 3.3 * We store the possible chanmodes in this object. diff --git a/src/irc/sasl.hpp b/src/irc/sasl.hpp new file mode 100644 index 0000000..775bc3f --- /dev/null +++ b/src/irc/sasl.hpp @@ -0,0 +1,9 @@ +#pragma once + +enum class SaslState +{ + unneeded, + needed, + failure, + success, +}; diff --git a/src/utils/base64.cpp b/src/utils/base64.cpp new file mode 100644 index 0000000..350e2db --- /dev/null +++ b/src/utils/base64.cpp @@ -0,0 +1,19 @@ +#include + +#ifdef BOTAN_FOUND +#include +#endif + +namespace base64 +{ + +std::string encode(const std::string &input) +{ +#ifdef BOTAN_FOUND + return Botan::base64_encode(reinterpret_cast(input.data()), input.size()); +#else +#error "base64::encode() not yet implemented without Botan." +#endif +} + +} diff --git a/src/utils/base64.hpp b/src/utils/base64.hpp new file mode 100644 index 0000000..1dd4a4d --- /dev/null +++ b/src/utils/base64.hpp @@ -0,0 +1,10 @@ +#pragma once + +#include "biboumi.h" + +#include + +namespace base64 +{ +std::string encode(const std::string& input); +} diff --git a/src/xmpp/biboumi_adhoc_commands.cpp b/src/xmpp/biboumi_adhoc_commands.cpp index 113943c..99589e0 100644 --- a/src/xmpp/biboumi_adhoc_commands.cpp +++ b/src/xmpp/biboumi_adhoc_commands.cpp @@ -325,6 +325,19 @@ void ConfigureIrcServerStep1(XmppComponent&, AdhocSession& session, XmlNode& com } } + { + XmlSubNode field(x, "field"); + field["var"] = "sasl_password"; + field["type"] = "text-private"; + field["label"] = "SASL Password"; + set_desc(field, "Use it to authenticate with your nick."); + if (!options.col().empty()) + { + XmlSubNode value(field, "value"); + value.set_inner(options.col()); + } + } + { XmlSubNode pass(x, "field"); pass["var"] = "pass"; @@ -482,6 +495,9 @@ void ConfigureIrcServerStep2(XmppComponent& xmpp_component, AdhocSession& sessio else if (field->get_tag("var") == "nick" && value) options.col() = value->get_inner(); + else if (field->get_tag("var") == "sasl_password" && value) + options.col() = value->get_inner(); + else if (field->get_tag("var") == "pass" && value) options.col() = value->get_inner(); diff --git a/tests/end_to_end/__main__.py b/tests/end_to_end/__main__.py index 1e4ffca..6e753f6 100644 --- a/tests/end_to_end/__main__.py +++ b/tests/end_to_end/__main__.py @@ -184,6 +184,8 @@ class BiboumiRunner(ProcessRunner): class IrcServerRunner(ProcessRunner): def __init__(self): super().__init__() + # Always start with a fresh state + os.remove("ircd.db") subprocess.run(["oragono", "mkcerts", "--conf", os.getcwd() + "/../tests/end_to_end/ircd.yaml"]) self.create = asyncio.create_subprocess_exec("oragono", "run", "--conf", os.getcwd() + "/../tests/end_to_end/ircd.yaml", stderr=asyncio.subprocess.PIPE) diff --git a/tests/end_to_end/scenarios/sasl.py b/tests/end_to_end/scenarios/sasl.py new file mode 100644 index 0000000..5f71b7a --- /dev/null +++ b/tests/end_to_end/scenarios/sasl.py @@ -0,0 +1,34 @@ +from scenarios import * + +scenario = ( + send_stanza(""), + sequences.connection(), + + simple_channel_join.expect_self_join_presence(jid = '{jid_one}/{resource_one}', chan = "#foo", nick = "RegisteredUser"), + + # Create an account by talking to nickserv directly + send_stanza("register P4SSW0RD"), + expect_stanza("/message/body[text()='Account created']"), + expect_stanza("/message/body[text()=\"You're now logged in as RegisteredUser\"]"), + send_stanza(""), + expect_stanza("/presence[@type='unavailable']"), + + # Configure an sasl password + send_stanza(""), + expect_stanza("/iq[@type='result']/commands:command[@node='configure'][@sessionid][@status='executing']", + "/iq/commands:command/dataform:x[@type='form']/dataform:field[@type='text-private'][@var='sasl_password']", + after = save_value("sessionid", extract_attribute("/iq[@type='result']/commands:command[@node='configure']", "sessionid"))), + + send_stanza("" + "" + "" + "P4SSW0RD" + "6667" + "RegisteredUser" + "66976670" + ""), + expect_stanza("/iq[@type='result']/commands:command[@node='configure'][@status='completed']/commands:note[@type='info'][text()='Configuration successfully applied.']"), + + send_stanza(""), + sequences.connection(login="RegisteredUser") +) diff --git a/tests/end_to_end/scenarios/simple_channel_join.py b/tests/end_to_end/scenarios/simple_channel_join.py index 9beba3b..6b57207 100644 --- a/tests/end_to_end/scenarios/simple_channel_join.py +++ b/tests/end_to_end/scenarios/simple_channel_join.py @@ -15,6 +15,5 @@ scenario = ( sequences.connection(), expect_self_join_presence(jid = '{jid_one}/{resource_one}', chan = "#foo", nick = "{nick_one}"), - ) diff --git a/tests/end_to_end/sequences.py b/tests/end_to_end/sequences.py index b545b1c..f151bc7 100644 --- a/tests/end_to_end/sequences.py +++ b/tests/end_to_end/sequences.py @@ -6,7 +6,7 @@ def handshake(): send_stanza("") ) -def connection_begin(irc_host, jid, expected_irc_presence=False, fixed_irc_server=False): +def connection_begin(irc_host, jid, expected_irc_presence=False, fixed_irc_server=False, login=None): jid = jid.format_map(common_replacements) if fixed_irc_server: xpath = "/message[@to='" + jid + "'][@from='biboumi.localhost']/body[text()='%s']" @@ -26,12 +26,12 @@ def connection_begin(irc_host, jid, expected_irc_presence=False, fixed_irc_serve if expected_irc_presence: result += (expect_stanza("/presence[@from='" + irc_host + "@biboumi.localhost']"),) + if login is not None: + result += (expect_stanza("/message/body[text()='irc.localhost: You are now logged in as %s']" % (login,)),) result += ( - expect_stanza("/message/body[text()='irc.localhost: ACK multi-prefix']"), expect_stanza("/message/body[text()='irc.localhost: *** Looking up your hostname...']"), - expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']"), - ), - + expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']") + ) return result def connection_tls_begin(irc_host, jid, fixed_irc_server): @@ -47,9 +47,8 @@ def connection_tls_begin(irc_host, jid, fixed_irc_server): "/message/carbon:private", ), expect_stanza(xpath % 'Connected to IRC server (encrypted).'), - expect_stanza("/message/body[text()='irc.localhost: ACK multi-prefix']"), expect_stanza("/message/body[text()='irc.localhost: *** Looking up your hostname...']"), - expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']"), + expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']") ) def connection_end(irc_host, jid, fixed_irc_server=False): @@ -75,8 +74,9 @@ def connection_end(irc_host, jid, fixed_irc_server=False): expect_stanza(xpath_re % (r'.+? \+Z',)), ) -def connection(irc_host="irc.localhost", jid="{jid_one}/{resource_one}", expected_irc_presence=False, fixed_irc_server=False): - return connection_begin(irc_host, jid, expected_irc_presence, fixed_irc_server=fixed_irc_server) + \ + +def connection(irc_host="irc.localhost", jid="{jid_one}/{resource_one}", expected_irc_presence=False, fixed_irc_server=False, login=None): + return connection_begin(irc_host, jid, expected_irc_presence, fixed_irc_server=fixed_irc_server, login=login) + \ connection_end(irc_host, jid, fixed_irc_server=fixed_irc_server) def connection_tls(irc_host="irc.localhost", jid="{jid_one}/{resource_one}", fixed_irc_server=False): -- cgit v1.2.3