~singpolyma/biboumi

2e1ddeb6547e140e9651231fedcd00e8ee4b1ccd — louiz’ 4 years ago 655bc34
Implement SASL plain authentication
M src/database/database.hpp => src/database/database.hpp +3 -1
@@ 43,6 43,8 @@ class Database

  struct Nick: Column<std::string> { static constexpr auto name = "nick_"; };

  struct SaslPassword: Column<std::string> { static constexpr auto name = "saslpassword_"; };

  struct Pass: Column<std::string> { static constexpr auto name = "pass_"; };

  struct Ports: Column<std::string> { static constexpr auto name = "ports_";


@@ 95,7 97,7 @@ class Database
  using GlobalOptionsTable = Table<Id, Owner, MaxHistoryLength, RecordHistory, GlobalPersistent>;
  using GlobalOptions = GlobalOptionsTable::RowType;

  using IrcServerOptionsTable = Table<Id, Owner, Server, Pass, TlsPorts, Ports, Username, Realname, VerifyCert, TrustedFingerprint, EncodingOut, EncodingIn, MaxHistoryLength, Address, Nick, ThrottleLimit>;
  using IrcServerOptionsTable = Table<Id, Owner, Server, Pass, TlsPorts, Ports, Username, Realname, VerifyCert, TrustedFingerprint, EncodingOut, EncodingIn, MaxHistoryLength, Address, Nick, SaslPassword, ThrottleLimit>;
  using IrcServerOptions = IrcServerOptionsTable::RowType;

  using IrcChannelOptionsTable = Table<Id, Owner, Server, Channel, EncodingOut, EncodingIn, MaxHistoryLength, Persistent, RecordHistoryOptional>;

A src/irc/capability.hpp => src/irc/capability.hpp +9 -0
@@ 0,0 1,9 @@
#pragma once

#include <functional>

struct Capability
{
  std::function<void()> on_ack;
  std::function<void()> on_nack;
};

M src/irc/irc_client.cpp => src/irc/irc_client.cpp +105 -13
@@ 5,6 5,7 @@
#include <irc/irc_client.hpp>
#include <bridge/bridge.hpp>
#include <irc/irc_user.hpp>
#include <utils/base64.hpp>

#include <logger/logger.hpp>
#include <config/config.hpp>


@@ 81,6 82,11 @@ static const std::unordered_map<std::string,
  {"PONG", {&IrcClient::on_pong, {0, 0}}},
  {"KICK", {&IrcClient::on_kick, {3, 0}}},
  {"INVITE", {&IrcClient::on_invite, {2, 0}}},
  {"CAP", {&IrcClient::on_cap, {3, 0}}},
  {"AUTHENTICATE", {&IrcClient::on_authenticate, {1, 0}}},
  {"903", {&IrcClient::on_sasl_success, {0, 0}}},
  {"900", {&IrcClient::on_sasl_login, {3, 0}}},


  {"401", {&IrcClient::on_generic_error, {2, 0}}},
  {"402", {&IrcClient::on_generic_error, {2, 0}}},


@@ 272,18 278,43 @@ void IrcClient::on_connected()
        }
    }

  this->send_message({"CAP", {"REQ", "multi-prefix"}});
  this->send_message({"CAP", {"END"}});
  this->send_gateway_message("Connected to IRC server"s + (this->use_tls ? " (encrypted)": "") + ".");

  this->capabilities["multi-prefix"] = {[]{}, []{}};

#ifdef USE_DATABASE
  auto options = Database::get_irc_server_options(this->bridge.get_bare_jid(),
                                                  this->get_hostname());
  if (!options.col<Database::Pass>().empty())

  const auto& sasl_password = options.col<Database::SaslPassword>();
  const auto& server_password = options.col<Database::Pass>();

  if (!server_password.empty())
    this->send_pass_command(options.col<Database::Pass>());

  if (!sasl_password.empty())
    {
      this->capabilities["sasl"] = {
          [this]
          {
            this->send_message({"AUTHENTICATE", {"PLAIN"}});
            log_warning("negociating SASL now...");
          },
          []
          {
            log_warning("SASL not supported by the server, disconnecting.");
          }
      };
      this->sasl_state = SaslState::needed;
    }
#endif

  this->send_nick_command(this->current_nick);
  {
    for (const auto &pair : this->capabilities)
      this->send_message({ "CAP", {"REQ", pair.first}});
  }

  this->send_nick_command(this->current_nick);
#ifdef USE_DATABASE
  if (Config::get("realname_customization", "true") == "true")
    {


@@ 298,9 329,6 @@ void IrcClient::on_connected()
#else
  this->send_user_command(this->username, this->realname);
#endif
  this->send_gateway_message("Connected to IRC server"s + (this->use_tls ? " (encrypted)": "") + ".");
  this->send_pending_data();
  this->bridge.on_irc_client_connected(this->get_hostname());
}

void IrcClient::on_connection_close(const std::string& error_msg)


@@ 371,12 399,14 @@ void IrcClient::parse_in_buffer(const size_t)
        {
          const auto& limits = it->second.second;
          // Check that the Message is well formed before actually calling
          // the callback. limits.first is the min number of arguments,
          // second is the max
          if (message.arguments.size() < limits.first ||
              (limits.second > 0 && message.arguments.size() > limits.second))
          // the callback.
          const auto args_size = message.arguments.size();
          const auto min = limits.first;
          const auto max = limits.second;
          if (args_size < min ||
              (max > 0 && args_size > max))
            log_warning("Invalid number of arguments for IRC command “", message.command,
                        "”: ", message.arguments.size());
                        "”: ", args_size);
          else
            {
              const auto& cb = it->second.first;


@@ 1266,7 1296,7 @@ void IrcClient::on_unknown_message(const IrcMessage& message)
    return ;
  std::string from = message.prefix;
  std::stringstream ss;
  for (auto it = message.arguments.begin() + 1; it != message.arguments.end(); ++it)
  for (auto it = std::next(message.arguments.begin()); it != message.arguments.end(); ++it)
    {
      ss << *it;
      if (it + 1 != message.arguments.end())


@@ 1299,3 1329,65 @@ long int IrcClient::get_throttle_limit() const
  return 10;
#endif
}

void IrcClient::on_cap(const IrcMessage &message)
{
  const auto& sub_command = message.arguments[1];
  const auto& cap = message.arguments[2];
  auto it = this->capabilities.find(cap);
  if (it == this->capabilities.end())
    {
      log_warning("Received a CAP message for something we didn’t ask, or that we already handled.");
      return;
    }
  Capability& capability = it->second;
  if (sub_command == "ACK")
    capability.on_ack();
  else if (sub_command == "NACK")
    capability.on_nack();
  this->capabilities.erase(it);
  this->cap_end();
}

void IrcClient::on_authenticate(const IrcMessage &)
{
  if (this->sasl_state == SaslState::unneeded)
    {
      log_warning("Received an AUTHENTICATE command but we don’t intend to authenticate…");
      return;
    }
#ifdef USE_DATABASE
  auto options = Database::get_irc_server_options(this->bridge.get_bare_jid(),
                                                  this->get_hostname());
  const auto auth_string = '\0' + options.col<Database::Nick>() + '\0' + options.col<Database::SaslPassword>();
  const auto base64_auth_string = base64::encode(auth_string);
  this->send_message({"AUTHENTICATE", {base64_auth_string}});
#endif
}

void IrcClient::on_sasl_success(const IrcMessage &)
{
  this->sasl_state = SaslState::success;
  this->cap_end();
}

void IrcClient::on_sasl_login(const IrcMessage &message)
{
  const auto& login = message.arguments[2];
  std::string text = "Your are now logged in as " + login;
  if (message.arguments.size() > 3)
    text = message.arguments[3];
  this->bridge.send_xmpp_message(this->hostname, message.prefix, text);
}

void IrcClient::cap_end()
{
  if (!this->capabilities.empty())
    return;
  // If we are currently authenticating through sasl, finish that before sending CAP END
  if (this->sasl_state == SaslState::needed)
    return;

  this->send_message({"CAP", {"END"}});
  this->bridge.on_irc_client_connected(this->get_hostname());
}

M src/irc/irc_client.hpp => src/irc/irc_client.hpp +19 -1
@@ 1,8 1,9 @@
#pragma once


#include <irc/irc_message.hpp>
#include <irc/irc_channel.hpp>
#include <irc/capability.hpp>
#include <irc/sasl.hpp>
#include <irc/iid.hpp>

#include <bridge/history_limit.hpp>


@@ 232,6 233,17 @@ public:
   */
  void on_invited(const IrcMessage& message);
  /**
   *  The IRC server sends a CAP message, as part of capabilities negociation. It could be a ACK,
   *  NACK, or something else
   */
  void on_cap(const IrcMessage& message);
private:
  void cap_end();
public:
  void on_authenticate(const IrcMessage& message);
  void on_sasl_success(const IrcMessage& message);
  void on_sasl_login(const IrcMessage& message);
  /**
   * The channel has been completely joined (self presence, topic, all names
   * received etc), send the self presence and topic to the XMPP user.
   */


@@ 360,6 372,12 @@ private:
   */
  bool welcomed;
  /**
   * Whether or not we are trying to authenticate using sasl. If this is true we need to wait for a
   * successful auth
   */
  SaslState sasl_state{SaslState::unneeded};
  std::map<std::string, Capability> capabilities;
  /**
   * See http://www.irc.org/tech_docs/draft-brocklesby-irc-isupport-03.txt section 3.3
   * We store the possible chanmodes in this object.
   * chanmodes[0] contains modes of type A, [1] of type B etc

A src/irc/sasl.hpp => src/irc/sasl.hpp +9 -0
@@ 0,0 1,9 @@
#pragma once

enum class SaslState
{
  unneeded,
  needed,
  failure,
  success,
};

A src/utils/base64.cpp => src/utils/base64.cpp +19 -0
@@ 0,0 1,19 @@
#include <utils/base64.hpp>

#ifdef BOTAN_FOUND
#include <botan/base64.h>
#endif

namespace base64
{

std::string encode(const std::string &input)
{
#ifdef BOTAN_FOUND
  return Botan::base64_encode(reinterpret_cast<const uint8_t*>(input.data()), input.size());
#else
#error "base64::encode() not yet implemented without Botan."
#endif
}

}

A src/utils/base64.hpp => src/utils/base64.hpp +10 -0
@@ 0,0 1,10 @@
#pragma once

#include "biboumi.h"

#include <string>

namespace base64
{
std::string encode(const std::string& input);
}

M src/xmpp/biboumi_adhoc_commands.cpp => src/xmpp/biboumi_adhoc_commands.cpp +16 -0
@@ 326,6 326,19 @@ void ConfigureIrcServerStep1(XmppComponent&, AdhocSession& session, XmlNode& com
  }

  {
    XmlSubNode field(x, "field");
    field["var"] = "sasl_password";
    field["type"] = "text-private";
    field["label"] = "SASL Password";
    set_desc(field, "Use it to authenticate with your nick.");
    if (!options.col<Database::SaslPassword>().empty())
      {
        XmlSubNode value(field, "value");
        value.set_inner(options.col<Database::SaslPassword>());
      }
  }

  {
    XmlSubNode pass(x, "field");
    pass["var"] = "pass";
    pass["type"] = "text-private";


@@ 482,6 495,9 @@ void ConfigureIrcServerStep2(XmppComponent& xmpp_component, AdhocSession& sessio
          else if (field->get_tag("var") == "nick" && value)
            options.col<Database::Nick>() = value->get_inner();

          else if (field->get_tag("var") == "sasl_password" && value)
            options.col<Database::SaslPassword>() = value->get_inner();

          else if (field->get_tag("var") == "pass" && value)
            options.col<Database::Pass>() = value->get_inner();


M tests/end_to_end/__main__.py => tests/end_to_end/__main__.py +2 -0
@@ 184,6 184,8 @@ class BiboumiRunner(ProcessRunner):
class IrcServerRunner(ProcessRunner):
    def __init__(self):
        super().__init__()
        # Always start with a fresh state
        os.remove("ircd.db")
        subprocess.run(["oragono", "mkcerts", "--conf", os.getcwd() + "/../tests/end_to_end/ircd.yaml"])
        self.create = asyncio.create_subprocess_exec("oragono", "run", "--conf", os.getcwd() + "/../tests/end_to_end/ircd.yaml",
                                                     stderr=asyncio.subprocess.PIPE)

A tests/end_to_end/scenarios/sasl.py => tests/end_to_end/scenarios/sasl.py +34 -0
@@ 0,0 1,34 @@
from scenarios import *

scenario = (
    send_stanza("<presence from='{jid_one}/{resource_one}' to='#foo%{irc_server_one}/RegisteredUser' ><x xmlns='http://jabber.org/protocol/muc'/></presence>"),
    sequences.connection(),

    simple_channel_join.expect_self_join_presence(jid = '{jid_one}/{resource_one}', chan = "#foo", nick = "RegisteredUser"),

    # Create an account by talking to nickserv directly
    send_stanza("<message from='{jid_one}/{resource_one}' to='nickserv%{irc_server_one}' type='chat'><body>register P4SSW0RD</body></message>"),
    expect_stanza("/message/body[text()='Account created']"),
    expect_stanza("/message/body[text()=\"You're now logged in as RegisteredUser\"]"),
    send_stanza("<presence from='{jid_one}/{resource_one}' to='#foo%{irc_server_one}/{nick_one}' type='unavailable' />"),
    expect_stanza("/presence[@type='unavailable']"),

    # Configure an sasl password
    send_stanza("<iq type='set' id='id1' from='{jid_one}/{resource_one}' to='{irc_server_one}'><command xmlns='http://jabber.org/protocol/commands' node='configure' action='execute' /></iq>"),
    expect_stanza("/iq[@type='result']/commands:command[@node='configure'][@sessionid][@status='executing']",
                  "/iq/commands:command/dataform:x[@type='form']/dataform:field[@type='text-private'][@var='sasl_password']",
                  after = save_value("sessionid", extract_attribute("/iq[@type='result']/commands:command[@node='configure']", "sessionid"))),

    send_stanza("<iq type='set' id='id2' from='{jid_one}/{resource_one}' to='{irc_server_one}'>"
                "<command xmlns='http://jabber.org/protocol/commands' node='configure' sessionid='{sessionid}' action='complete'>"
                "<x xmlns='jabber:x:data' type='submit'>"
                "<field var='sasl_password'><value>P4SSW0RD</value></field>"
                "<field var='ports'><value>6667</value></field>"
                "<field var='nick'><value>RegisteredUser</value></field>"
                "<field var='tls_ports'><value>6697</value><value>6670</value></field>"
                "</x></command></iq>"),
    expect_stanza("/iq[@type='result']/commands:command[@node='configure'][@status='completed']/commands:note[@type='info'][text()='Configuration successfully applied.']"),

    send_stanza("<presence from='{jid_one}/{resource_one}' to='#foo%{irc_server_one}/{nick_one}' ><x xmlns='http://jabber.org/protocol/muc'/></presence>"),
    sequences.connection(login="RegisteredUser")
)

M tests/end_to_end/scenarios/simple_channel_join.py => tests/end_to_end/scenarios/simple_channel_join.py +0 -1
@@ 15,6 15,5 @@ scenario = (
    sequences.connection(),

    expect_self_join_presence(jid = '{jid_one}/{resource_one}', chan = "#foo", nick = "{nick_one}"),

)


M tests/end_to_end/sequences.py => tests/end_to_end/sequences.py +9 -9
@@ 6,7 6,7 @@ def handshake():
            send_stanza("<handshake xmlns='jabber:component:accept'/>")
           )

def connection_begin(irc_host, jid, expected_irc_presence=False, fixed_irc_server=False):
def connection_begin(irc_host, jid, expected_irc_presence=False, fixed_irc_server=False, login=None):
    jid = jid.format_map(common_replacements)
    if fixed_irc_server:
        xpath    = "/message[@to='" + jid + "'][@from='biboumi.localhost']/body[text()='%s']"


@@ 26,12 26,12 @@ def connection_begin(irc_host, jid, expected_irc_presence=False, fixed_irc_serve
    if expected_irc_presence:
        result += (expect_stanza("/presence[@from='" + irc_host + "@biboumi.localhost']"),)

    if login is not None:
        result += (expect_stanza("/message/body[text()='irc.localhost: You are now logged in as %s']" % (login,)),)
    result += (
    expect_stanza("/message/body[text()='irc.localhost: ACK multi-prefix']"),
    expect_stanza("/message/body[text()='irc.localhost: *** Looking up your hostname...']"),
    expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']"),
              ),

    expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']")
    )
    return result

def connection_tls_begin(irc_host, jid, fixed_irc_server):


@@ 47,9 47,8 @@ def connection_tls_begin(irc_host, jid, fixed_irc_server):
                      "/message/carbon:private",
               ),
        expect_stanza(xpath % 'Connected to IRC server (encrypted).'),
        expect_stanza("/message/body[text()='irc.localhost: ACK multi-prefix']"),
        expect_stanza("/message/body[text()='irc.localhost: *** Looking up your hostname...']"),
        expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']"),
        expect_stanza("/message/body[text()='irc.localhost: *** Found your hostname']")
    )

def connection_end(irc_host, jid, fixed_irc_server=False):


@@ 75,8 74,9 @@ def connection_end(irc_host, jid, fixed_irc_server=False):
    expect_stanza(xpath_re % (r'.+? \+Z',)),
    )

def connection(irc_host="irc.localhost", jid="{jid_one}/{resource_one}", expected_irc_presence=False, fixed_irc_server=False):
    return connection_begin(irc_host, jid, expected_irc_presence, fixed_irc_server=fixed_irc_server) + \

def connection(irc_host="irc.localhost", jid="{jid_one}/{resource_one}", expected_irc_presence=False, fixed_irc_server=False, login=None):
    return connection_begin(irc_host, jid, expected_irc_presence, fixed_irc_server=fixed_irc_server, login=login) + \
           connection_end(irc_host, jid, fixed_irc_server=fixed_irc_server)

def connection_tls(irc_host="irc.localhost", jid="{jid_one}/{resource_one}", fixed_irc_server=False):