From 2e1ddeb6547e140e9651231fedcd00e8ee4b1ccd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?louiz=E2=80=99?= <louiz@louiz.org>
Date: Sun, 14 Jun 2020 22:54:42 +0200
Subject: Implement SASL plain authentication

---
 src/database/database.hpp                         |   4 +-
 src/irc/capability.hpp                            |   9 ++
 src/irc/irc_client.cpp                            | 118 +++++++++++++++++++---
 src/irc/irc_client.hpp                            |  20 +++-
 src/irc/sasl.hpp                                  |   9 ++
 src/utils/base64.cpp                              |  19 ++++
 src/utils/base64.hpp                              |  10 ++
 src/xmpp/biboumi_adhoc_commands.cpp               |  16 +++
 tests/end_to_end/__main__.py                      |   2 +
 tests/end_to_end/scenarios/sasl.py                |  34 +++++++
 tests/end_to_end/scenarios/simple_channel_join.py |   1 -
 tests/end_to_end/sequences.py                     |  18 ++--
 12 files changed, 235 insertions(+), 25 deletions(-)
 create mode 100644 src/irc/capability.hpp
 create mode 100644 src/irc/sasl.hpp
 create mode 100644 src/utils/base64.cpp
 create mode 100644 src/utils/base64.hpp
 create mode 100644 tests/end_to_end/scenarios/sasl.py

diff --git a/src/database/database.hpp b/src/database/database.hpp
index a53f87b..de1df49 100644
--- a/src/database/database.hpp
+++ b/src/database/database.hpp
@@ -43,6 +43,8 @@ class Database
 
   struct Nick: Column<std::string> { static constexpr auto name = "nick_"; };
 
+  struct SaslPassword: Column<std::string> { static constexpr auto name = "saslpassword_"; };
+
   struct Pass: Column<std::string> { static constexpr auto name = "pass_"; };
 
   struct Ports: Column<std::string> { static constexpr auto name = "ports_";
@@ -95,7 +97,7 @@ class Database
   using GlobalOptionsTable = Table<Id, Owner, MaxHistoryLength, RecordHistory, GlobalPersistent>;
   using GlobalOptions = GlobalOptionsTable::RowType;
 
-  using IrcServerOptionsTable = Table<Id, Owner, Server, Pass, TlsPorts, Ports, Username, Realname, VerifyCert, TrustedFingerprint, EncodingOut, EncodingIn, MaxHistoryLength, Address, Nick, ThrottleLimit>;
+  using IrcServerOptionsTable = Table<Id, Owner, Server, Pass, TlsPorts, Ports, Username, Realname, VerifyCert, TrustedFingerprint, EncodingOut, EncodingIn, MaxHistoryLength, Address, Nick, SaslPassword, ThrottleLimit>;
   using IrcServerOptions = IrcServerOptionsTable::RowType;
 
   using IrcChannelOptionsTable = Table<Id, Owner, Server, Channel, EncodingOut, EncodingIn, MaxHistoryLength, Persistent, RecordHistoryOptional>;
diff --git a/src/irc/capability.hpp b/src/irc/capability.hpp
new file mode 100644
index 0000000..55ccb0c
--- /dev/null
+++ b/src/irc/capability.hpp
@@ -0,0 +1,9 @@
+#pragma once
+
+#include <functional>
+
+struct Capability
+{
+  std::function<void()> on_ack;
+  std::function<void()> on_nack;
+};
diff --git a/src/irc/irc_client.cpp b/src/irc/irc_client.cpp
index de38d42..183a9d8 100644
--- a/src/irc/irc_client.cpp
+++ b/src/irc/irc_client.cpp
@@ -5,6 +5,7 @@
 #include <irc/irc_client.hpp>
 #include <bridge/bridge.hpp>
 #include <irc/irc_user.hpp>
+#include <utils/base64.hpp>
 
 #include <logger/logger.hpp>
 #include <config/config.hpp>
@@ -81,6 +82,11 @@ static const std::unordered_map<std::string,
   {"PONG", {&IrcClient::on_pong, {0, 0}}},
   {"KICK", {&IrcClient::on_kick, {3, 0}}},
   {"INVITE", {&IrcClient::on_invite, {2, 0}}},
+  {"CAP", {&IrcClient::on_cap, {3, 0}}},
+  {"AUTHENTICATE", {&IrcClient::on_authenticate, {1, 0}}},
+  {"903", {&IrcClient::on_sasl_success, {0, 0}}},
+  {"900", {&IrcClient::on_sasl_login, {3, 0}}},
+
 
   {"401", {&IrcClient::on_generic_error, {2, 0}}},
   {"402", {&IrcClient::on_generic_error, {2, 0}}},
@@ -272,18 +278,43 @@ void IrcClient::on_connected()
         }
     }
 
-  this->send_message({"CAP", {"REQ", "multi-prefix"}});
-  this->send_message({"CAP", {"END"}});
+  this->send_gateway_message("Connected to IRC server"s + (this->use_tls ? " (encrypted)": "") + ".");
+
+  this->capabilities["multi-prefix"] = {[]{}, []{}};
 
 #ifdef USE_DATABASE
   auto options = Database::get_irc_server_options(this->bridge.get_bare_jid(),
                                                   this->get_hostname());
-  if (!options.col<Database::Pass>().empty())
+
+  const auto& sasl_password = options.col<Database::SaslPassword>();
+  const auto& server_password = options.col<Database::Pass>();
+
+  if (!server_password.empty())
     this->send_pass_command(options.col<Database::Pass>());
+
+  if (!sasl_password.empty())
+    {
+      this->capabilities["sasl"] = {
+          [this]
+          {
+            this->send_message({"AUTHENTICATE", {"PLAIN"}});
+            log_warning("negociating SASL now...");
+          },
+          []
+          {
+            log_warning("SASL not supported by the server, disconnecting.");
+          }
+      };
+      this->sasl_state = SaslState::needed;
+    }
 #endif
 
-  this->send_nick_command(this->current_nick);
+  {
+    for (const auto &pair : this->capabilities)
+      this->send_message({ "CAP", {"REQ", pair.first}});
+  }
 
+  this->send_nick_command(this->current_nick);
 #ifdef USE_DATABASE
   if (Config::get("realname_customization", "true") == "true")
     {
@@ -298,9 +329,6 @@ void IrcClient::on_connected()
 #else
   this->send_user_command(this->username, this->realname);
 #endif
-  this->send_gateway_message("Connected to IRC server"s + (this->use_tls ? " (encrypted)": "") + ".");
-  this->send_pending_data();
-  this->bridge.on_irc_client_connected(this->get_hostname());
 }
 
 void IrcClient::on_connection_close(const std::string& error_msg)
@@ -371,12 +399,14 @@ void IrcClient::parse_in_buffer(const size_t)
         {
           const auto& limits = it->second.second;
           // Check that the Message is well formed before actually calling
-          // the callback. limits.first is the min number of arguments,
-          // second is the max
-          if (message.arguments.size() < limits.first ||
-              (limits.second > 0 && message.arguments.size() > limits.second))
+          // the callback.
+          const auto args_size = message.arguments.size();
+          const auto min = limits.first;
+          const auto max = limits.second;
+          if (args_size < min ||
+              (max > 0 && args_size > max))
             log_warning("Invalid number of arguments for IRC command “", message.command,
-                        "”: ", message.arguments.size());
+                        "”: ", args_size);
           else
             {
               const auto& cb = it->second.first;
@@ -1266,7 +1296,7 @@ void IrcClient::on_unknown_message(const IrcMessage& message)
     return ;
   std::string from = message.prefix;
   std::stringstream ss;
-  for (auto it = message.arguments.begin() + 1; it != message.arguments.end(); ++it)
+  for (auto it = std::next(message.arguments.begin()); it != message.arguments.end(); ++it)
     {
       ss << *it;
       if (it + 1 != message.arguments.end())
@@ -1299,3 +1329,65 @@ long int IrcClient::get_throttle_limit() const
   return 10;
 #endif
 }
+
+void IrcClient::on_cap(const IrcMessage &message)
+{
+  const auto& sub_command = message.arguments[1];
+  const auto& cap = message.arguments[2];
+  auto it = this->capabilities.find(cap);
+  if (it == this->capabilities.end())
+    {
+      log_warning("Received a CAP message for something we didn’t ask, or that we already handled.");
+      return;
+    }
+  Capability& capability = it->second;
+  if (sub_command == "ACK")
+    capability.on_ack();
+  else if (sub_command == "NACK")
+    capability.on_nack();
+  this->capabilities.erase(it);
+  this->cap_end();
+}
+
+void IrcClient::on_authenticate(const IrcMessage &)
+{
+  if (this->sasl_state == SaslState::unneeded)
+    {
+      log_warning("Received an AUTHENTICATE command but we don’t intend to authenticate…");
+      return;
+    }
+#ifdef USE_DATABASE
+  auto options = Database::get_irc_server_options(this->bridge.get_bare_jid(),
+                                                  this->get_hostname());
+  const auto auth_string = '\0' + options.col<Database::Nick>() + '\0' + options.col<Database::SaslPassword>();
+  const auto base64_auth_string = base64::encode(auth_string);
+  this->send_message({"AUTHENTICATE", {base64_auth_string}});
+#endif
+}
+
+void IrcClient::on_sasl_success(const IrcMessage &)
+{
+  this->sasl_state = SaslState::success;
+  this->cap_end();
+}
+
+void IrcClient::on_sasl_login(const IrcMessage &message)
+{
+  const auto& login = message.arguments[2];
+  std::string text = "Your are now logged in as " + login;
+  if (message.arguments.size() > 3)
+    text = message.arguments[3];
+  this->bridge.send_xmpp_message(this->hostname, message.prefix, text);
+}
+
+void IrcClient::cap_end()
+{
+  if (!this->capabilities.empty())
+    return;
+  // If we are currently authenticating through sasl, finish that before sending CAP END
+  if (this->sasl_state == SaslState::needed)
+    return;
+
+  this->send_message({"CAP", {"END"}});
+  this->bridge.on_irc_client_connected(this->get_hostname());
+}
diff --git a/src/irc/irc_client.hpp b/src/irc/irc_client.hpp
index cfb3d21..e2ad8b9 100644
--- a/src/irc/irc_client.hpp
+++ b/src/irc/irc_client.hpp
@@ -1,8 +1,9 @@
 #pragma once
 
-
 #include <irc/irc_message.hpp>
 #include <irc/irc_channel.hpp>
+#include <irc/capability.hpp>
+#include <irc/sasl.hpp>
 #include <irc/iid.hpp>
 
 #include <bridge/history_limit.hpp>
@@ -231,6 +232,17 @@ public:
    * The IRC server is confirming that the invitation has been forwarded
    */
   void on_invited(const IrcMessage& message);
+  /**
+   *  The IRC server sends a CAP message, as part of capabilities negociation. It could be a ACK,
+   *  NACK, or something else
+   */
+  void on_cap(const IrcMessage& message);
+private:
+  void cap_end();
+public:
+  void on_authenticate(const IrcMessage& message);
+  void on_sasl_success(const IrcMessage& message);
+  void on_sasl_login(const IrcMessage& message);
   /**
    * The channel has been completely joined (self presence, topic, all names
    * received etc), send the self presence and topic to the XMPP user.
@@ -359,6 +371,12 @@ private:
    * has been established, we are authentified and we have a nick)
    */
   bool welcomed;
+  /**
+   * Whether or not we are trying to authenticate using sasl. If this is true we need to wait for a
+   * successful auth
+   */
+  SaslState sasl_state{SaslState::unneeded};
+  std::map<std::string, Capability> capabilities;
   /**
    * See http://www.irc.org/tech_docs/draft-brocklesby-irc-isupport-03.txt section 3.3
    * We store the possible chanmodes in this object.
diff --git a/src/irc/sasl.hpp b/src/irc/sasl.hpp
new file mode 100644
index 0000000..775bc3f
--- /dev/null
+++ b/src/irc/sasl.hpp
@@ -0,0 +1,9 @@
+#pragma once
+
+enum class SaslState
+{
+  unneeded,
+  needed,
+  failure,
+  success,
+};
diff --git a/src/utils/base64.cpp b/src/utils/base64.cpp
new file mode 100644
index 0000000..350e2db
--- /dev/null
+++ b/src/utils/base64.cpp
@@ -0,0 +1,19 @@
+#include <utils/base64.hpp>
+
+#ifdef BOTAN_FOUND
+#include <botan/base64.h>
+#endif
+
+namespace base64
+{
+
+std::string encode(const std::string &input)
+{
+#ifdef BOTAN_FOUND
+  return Botan::base64_encode(reinterpret_cast<const uint8_t*>(input.data()), input.size());
+#else
+#error "base64::encode() not yet implemented without Botan."
+#endif
+}
+
+}
diff --git a/src/utils/base64.hpp b/src/utils/base64.hpp
new file mode 100644
index 0000000..1dd4a4d
--- /dev/null
+++ b/src/utils/base64.hpp
@@ -0,0 +1,10 @@
+#pragma once
+
+#include "biboumi.h"
+
+#include <string>
+
+namespace base64
+{
+std::string encode(const std::string& input);
+}
diff --git a/src/xmpp/biboumi_adhoc_commands.cpp b/src/xmpp/biboumi_adhoc_commands.cpp
index 113943c..99589e0 100644
--- a/src/xmpp/biboumi_adhoc_commands.cpp
+++ b/src/xmpp/biboumi_adhoc_commands.cpp
@@ -325,6 +325,19 @@ void ConfigureIrcServerStep1(XmppComponent&, AdhocSession& session, XmlNode& com
       }
   }
 
+  {
+    XmlSubNode field(x, "field");
+    field["var"] = "sasl_password";
+    field["type"] = "text-private";
+    field["label"] = "SASL Password";
+    set_desc(field, "Use it to authenticate with your nick.");
+    if (!options.col<Database::SaslPassword>().empty())
+      {
+        XmlSubNode value(field, "value");
+        value.set_inner(options.col<Database::SaslPassword>());
+      }
+  }
+
   {
     XmlSubNode pass(x, "field");
     pass["var"] = "pass";
@@ -482,6 +495,9 @@ void ConfigureIrcServerStep2(XmppComponent& xmpp_component, AdhocSession& sessio
           else if (field->get_tag("var") == "nick" && value)
             options.col<Database::Nick>() = value->get_inner();
 
+          else if (field->get_tag("var") == "sasl_password" && value)
+            options.col<Database::SaslPassword>() = value->get_inner();
+
           else if (field->get_tag("var") == "pass" && value)
             options.col<Database::Pass>() = value->get_inner();
 
diff --git a/tests/end_to_end/__main__.py b/tests/end_to_end/__main__.py
index 1e4ffca..6e753f6 100644
--- a/tests/end_to_end/__main__.py
+++ b/tests/end_to_end/__main__.py
@@ -184,6 +184,8 @@ class BiboumiRunner(ProcessRunner):
 class IrcServerRunner(ProcessRunner):
     def __init__(self):
         super().__init__()
+        # Always start with a fresh state
+        os.remove("ircd.db")
         subprocess.run(["oragono", "mkcerts", "--conf", os.getcwd() + "/../tests/end_to_end/ircd.yaml"])
         self.create = asyncio.create_subprocess_exec("oragono", "run", "--conf", os.getcwd() + "/../tests/end_to_end/ircd.yaml",
                                                      stderr=asyncio.subprocess.PIPE)
diff --git a/tests/end_to_end/scenarios/sasl.py b/tests/end_to_end/scenarios/sasl.py
new file mode 100644
index 0000000..5f71b7a
--- /dev/null
+++ b/tests/end_to_end/scenarios/sasl.py
@@ -0,0 +1,34 @@
+from scenarios import *
+
+scenario = (
+    send_stanza("<presence from='{jid_one}/{resource_one}' to='#foo%{irc_server_one}/RegisteredUser' ><x xmlns='http://jabber.org/protocol/muc'/></presence>"),
+    sequences.connection(),
+
+    simple_channel_join.expect_self_join_presence(jid = '{jid_one}/{resource_one}', chan = "#foo", nick = "RegisteredUser"),
+
+    # Create an account by talking to nickserv directly
+    send_stanza("<message from='{jid_one}/{resource_one}' to='nickserv%{irc_server_one}' type='chat'><body>register P4SSW0RD</body></message>"),
+    expect_stanza("/message/body[text()='Account created']"),
+    expect_stanza("/message/body[text()=\"You're now logged in as RegisteredUser\"]"),
+    send_stanza("<presence from='{jid_one}/{resource_one}' to='#foo%{irc_server_one}/{nick_one}' type='unavailable' />"),
+    expect_stanza("/presence[@type='unavailable']"),
+
+    # Configure an sasl password
+    send_stanza("<iq type='set' id='id1' from='{jid_one}/{resource_one}' to='{irc_server_one}'><command xmlns='http://jabber.org/protocol/commands' node='configure' action='execute' /></iq>"),
+    expect_stanza("/iq[@type='result']/commands:command[@node='configure'][@sessionid][@status='executing']",
+                  "/iq/commands:command/dataform:x[@type='form']/dataform:field[@type='text-private'][@var='sasl_password']",
+                  after = save_value("sessionid", extract_attribute("/iq[@type='result']/commands:command[@node='configure']", "sessionid"))),
+
+    send_stanza("<iq type='set' id='id2' from='{jid_one}/{resource_one}' to='{irc_server_one}'>"
+                "<command xmlns='http://jabber.org/protocol/commands' node='configure' sessionid='{sessionid}' action='complete'>"
+                "<x xmlns='jabber:x:data' type='submit'>"
+                "<field var='sasl_password'><value>P4SSW0RD</value></field>"
+                "<field var='ports'><value>6667</value></field>"
+                "<field var='nick'><value>RegisteredUser</value></field>"
+                "<field var='tls_ports'><value>6697</value><value>6670</value></field>"
+                "</x></command></iq>"),
+    expect_stanza("/iq[@type='result']/commands:command[@node='configure'][@status='completed']/commands:note[@type='info'][text()='Configuration successfully applied.']"),
+
+    send_stanza("<presence from='{jid_one}/{resource_one}' to='#foo%{irc_server_one}/{nick_one}' ><x xmlns='http://jabber.org/protocol/muc'/></presence>"),
+    sequences.connection(login="RegisteredUser")
+)
diff --git a/tests/end_to_end/scenarios/simple_channel_join.py b/tests/end_to_end/scenarios/simple_channel_join.py
index 9beba3b..6b57207 100644
--- a/tests/end_to_end/scenarios/simple_channel_join.py
+++ b/tests/end_to_end/scenarios/simple_channel_join.py
@@ -15,6 +15,5 @@ scenario = (
     sequences.connection(),
 
     expect_self_join_presence(jid = '{jid_one}/{resource_one}', chan = "#foo", nick = "{nick_one}"),
-
 )
 
diff --git a/tests/end_to_end/sequences.py b/tests/end_to_end/sequences.py
index b545b1c..f151bc7 100644
--- a/tests/end_to_end/sequences.py
+++ b/tests/end_to_end/sequences.py
@@ -6,7 +6,7 @@ def handshake():
             send_stanza("<handshake xmlns='jabber:component:accept'/>")
            )
 
-def connection_begin(irc_host, jid, expected_irc_presence=False, fixed_irc_server=False):
+def connection_begin(irc_host, jid, expected_irc_presence=False, fixed_irc_server=False, login=None):
     jid = jid.format_map(common_replacements)
     if fixed_irc_server:
         xpath    = "/message[@to='" + jid + "'][@from='biboumi.localhost']/body[text()='%s']"
@@ -26,12 +26,12 @@ def connection_begin(irc_host, jid, expected_irc_presence=False, fixed_irc_serve
     if expected_irc_presence:
         result += (expect_stanza("/presence[@from='" + irc_host + "@biboumi.localhost']"),)
 
+    if login is not None:
+        result += (expect_stanza("/message/body[text()='irc.localhost: You are now logged in as %s']" % (login,)),)
     result += (
-    expect_stanza("/message/body[text()='irc.localhost: ACK multi-prefix']"),
     expect_stanza("/message/body[text()='irc.localhost: *** Looking up your hostname...']"),
-    expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']"),
-              ),
-
+    expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']")
+    )
     return result
 
 def connection_tls_begin(irc_host, jid, fixed_irc_server):
@@ -47,9 +47,8 @@ def connection_tls_begin(irc_host, jid, fixed_irc_server):
                       "/message/carbon:private",
                ),
         expect_stanza(xpath % 'Connected to IRC server (encrypted).'),
-        expect_stanza("/message/body[text()='irc.localhost: ACK multi-prefix']"),
         expect_stanza("/message/body[text()='irc.localhost: *** Looking up your hostname...']"),
-        expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']"),
+        expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']")
     )
 
 def connection_end(irc_host, jid, fixed_irc_server=False):
@@ -75,8 +74,9 @@ def connection_end(irc_host, jid, fixed_irc_server=False):
     expect_stanza(xpath_re % (r'.+? \+Z',)),
     )
 
-def connection(irc_host="irc.localhost", jid="{jid_one}/{resource_one}", expected_irc_presence=False, fixed_irc_server=False):
-    return connection_begin(irc_host, jid, expected_irc_presence, fixed_irc_server=fixed_irc_server) + \
+
+def connection(irc_host="irc.localhost", jid="{jid_one}/{resource_one}", expected_irc_presence=False, fixed_irc_server=False, login=None):
+    return connection_begin(irc_host, jid, expected_irc_presence, fixed_irc_server=fixed_irc_server, login=login) + \
            connection_end(irc_host, jid, fixed_irc_server=fixed_irc_server)
 
 def connection_tls(irc_host="irc.localhost", jid="{jid_one}/{resource_one}", fixed_irc_server=False):
-- 
cgit v1.2.3