From f439267129f88b8bd6f52f6b80483cf1d7853762 Mon Sep 17 00:00:00 2001
From: James Lu <james@overdrivenetworks.com>
Date: Mon, 7 Aug 2017 21:44:15 -0700
Subject: [PATCH] Allow limiting login blocks to opers & certain hosts

Closes #502.
---
 coremods/corecommands.py | 12 ++++++++++++
 example-conf.yml         |  7 +++++++
 2 files changed, 19 insertions(+)

diff --git a/coremods/corecommands.py b/coremods/corecommands.py
index b73d390..5e6361f 100644
--- a/coremods/corecommands.py
+++ b/coremods/corecommands.py
@@ -22,12 +22,24 @@ def _login(irc, source, username):
 
     logindata = conf.conf['login'].get('accounts', {}).get(username, {})
     network_filter = logindata.get('networks')
+    require_oper = logindata.get('require_oper', False)
+    hosts_filter = logindata.get('hosts', [])
 
     if network_filter and irc.name not in network_filter:
         irc.error("You are not authorized to log in to %r on this network." % username)
         log.warning("(%s) Failed login to %r from %s (wrong network: networks filter says %r but we got %r)", irc.name, username, irc.get_hostmask(source), ', '.join(network_filter), irc.name)
         return
 
+    elif require_oper and not irc.is_oper(source, allowAuthed=False):
+        irc.error("You must be opered up to log in to %r." % username)
+        log.warning("(%s) Failed login to %r from %s (needs oper)", irc.name, username, irc.get_hostmask(source))
+        return
+
+    elif hosts_filter and not any(irc.match_host(host, source) for host in hosts_filter):
+        irc.error("Failed to log in to %r: hostname mismatch." % username)
+        log.warning("(%s) Failed login to %r from %s (hostname mismatch)", irc.name, username, irc.get_hostmask(source))
+        return
+
     irc.users[source].account = username
     irc.reply('Successfully logged in as %s.' % username)
     log.info("(%s) Successful login to %r by %s",
diff --git a/example-conf.yml b/example-conf.yml
index e3966d8..5a8397e 100644
--- a/example-conf.yml
+++ b/example-conf.yml
@@ -95,6 +95,13 @@ login:
             # Optional: allows limiting this login to users from certain networks only (case sensitive).
             #networks: ["network1", "network2"]
 
+            # Optional: allows limiting this login to opered users
+            #require_oper: false
+
+            # Optional: requires the user to match any of the following hosts. Extended targets
+            # are supported here as well.
+            #hosts: ["*!*@localhost", "*!*@trusted.isp"]
+
 permissions:
     # Permissions are described in more detail in example-permissions.yml, if you want to
     # customize permissions further.