ergo/irc/gateways.go

// Copyright (c) 2012-2014 Jeremy Latt
// Copyright (c) 2014-2015 Edmund Huber
// Copyright (c) 2017 Daniel Oaks <daniel@danieloaks.net>
// released under the MIT license

package irc

import (
	"errors"
	"fmt"
	"net"
	"strings"

	"github.com/oragono/oragono/irc/modes"
	"github.com/oragono/oragono/irc/utils"
)

var (
	errBadGatewayAddress = errors.New("PROXY/WEBIRC commands are not accepted from this IP address")
	errBadProxyLine      = errors.New("Invalid PROXY/WEBIRC command")
)

type webircConfig struct {
	PasswordString string `yaml:"password"`
	Password       []byte `yaml:"password-bytes"`
	Fingerprint    string
	Hosts          []string
	allowedNets    []net.IPNet
}

// Populate fills out our password or fingerprint.
func (wc *webircConfig) Populate() (err error) {
	if wc.Fingerprint == "" && wc.PasswordString == "" {
		return ErrNoFingerprintOrPassword
	}

	if wc.PasswordString != "" {
		wc.Password, err = decodeLegacyPasswordHash(wc.PasswordString)
	}

	if err == nil {
		wc.allowedNets, err = utils.ParseNetList(wc.Hosts)
	}

	return err
}

// ApplyProxiedIP applies the given IP to the client.
func (client *Client) ApplyProxiedIP(session *Session, proxiedIP string, tls bool) (success bool) {
	// PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself
	// is whitelisted:
	if client.isTor {
		return false
	}

	// ensure IP is sane
	parsedProxiedIP := net.ParseIP(proxiedIP).To16()
	if parsedProxiedIP == nil {
		client.Quit(fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP), session)
		return false
	}

	isBanned, banMsg := client.server.checkBans(parsedProxiedIP)
	if isBanned {
		client.Quit(banMsg, session)
		return false
	}

	// given IP is sane! override the client's current IP
	ipstring := parsedProxiedIP.String()
	client.server.logger.Info("localconnect-ip", "Accepted proxy IP for client", ipstring)
	rawHostname := utils.LookupHostname(ipstring)

	client.stateMutex.Lock()
	defer client.stateMutex.Unlock()
	client.proxiedIP = parsedProxiedIP
	client.rawHostname = rawHostname
	// nickmask will be updated when the client completes registration
	// set tls info
	client.certfp = ""
	client.SetMode(modes.TLS, tls)

	return true
}

// handle the PROXY command: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
// PROXY must be sent as the first message in the session and has the syntax:
// PROXY TCP[46] SOURCEIP DESTIP SOURCEPORT DESTPORT\r\n
// unfortunately, an ipv6 SOURCEIP can start with a double colon; in this case,
// the message is invalid IRC and can't be parsed normally, hence the special handling.
func handleProxyCommand(server *Server, client *Client, session *Session, line string) (err error) {
	defer func() {
		if err != nil {
			client.Quit(client.t("Bad or unauthorized PROXY command"), session)
		}
	}()

	params := strings.Fields(line)
	if len(params) != 6 {
		return errBadProxyLine
	}

	if utils.IPInNets(client.realIP, server.Config().Server.proxyAllowedFromNets) {
		// assume PROXY connections are always secure
		if client.ApplyProxiedIP(session, params[2], true) {
			return nil
		} else {
			return errBadProxyLine
		}
	}

	// real source IP is not authorized to issue PROXY:
	return errBadGatewayAddress
}
Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`// Copyright (c) 2012-2014 Jeremy Latt`
			`// Copyright (c) 2014-2015 Edmund Huber`
			`// Copyright (c) 2017 Daniel Oaks <daniel@danieloaks.net>`
			`// released under the MIT license`

			`package irc`

			`import (`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 06:19:10 +02:00			`"errors"`
Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`"fmt"`
			`"net"`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 06:19:10 +02:00			`"strings"`
Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00
Split modes into a subpackage (this is painful, but will force us to simplify and improve the API for interacting with modes) 2018-02-03 11:21:32 +01:00			`"github.com/oragono/oragono/irc/modes"`
Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`"github.com/oragono/oragono/irc/utils"`
			`)`

fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 06:19:10 +02:00			`var (`
			`errBadGatewayAddress = errors.New("PROXY/WEBIRC commands are not accepted from this IP address")`
			`errBadProxyLine = errors.New("Invalid PROXY/WEBIRC command")`
			`)`

Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`type webircConfig struct {`
WEBIRC: Export fields so the config loads properly 2017-10-15 10:15:18 +02:00			PasswordString string `yaml:"password"`
			Password []byte `yaml:"password-bytes"`
WEBIRC: Allow protecting with fingerprint and parse `tls` flag 2017-10-16 00:47:49 +02:00			`Fingerprint string`
WEBIRC: Export fields so the config loads properly 2017-10-15 10:15:18 +02:00			`Hosts []string`
add sasl-only config option 2019-02-05 06:19:03 +01:00			`allowedNets []net.IPNet`
Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`}`

WEBIRC: Allow protecting with fingerprint and parse `tls` flag 2017-10-16 00:47:49 +02:00			`// Populate fills out our password or fingerprint.`
			`func (wc *webircConfig) Populate() (err error) {`
			`if wc.Fingerprint == "" && wc.PasswordString == "" {`
Move all errors into errors.go 2018-02-03 13:03:36 +01:00			`return ErrNoFingerprintOrPassword`
WEBIRC: Allow protecting with fingerprint and parse `tls` flag 2017-10-16 00:47:49 +02:00			`}`

			`if wc.PasswordString != "" {`
refactor the password hashing / password autoupgrade system 2018-08-06 04:51:39 +02:00			`wc.Password, err = decodeLegacyPasswordHash(wc.PasswordString)`
WEBIRC: Allow protecting with fingerprint and parse `tls` flag 2017-10-16 00:47:49 +02:00			`}`
support unix domain sockets 2018-02-01 21:53:49 +01:00
add sasl-only config option 2019-02-05 06:19:03 +01:00			`if err == nil {`
			`wc.allowedNets, err = utils.ParseNetList(wc.Hosts)`
support unix domain sockets 2018-02-01 21:53:49 +01:00			`}`

add sasl-only config option 2019-02-05 06:19:03 +01:00			`return err`
support unix domain sockets 2018-02-01 21:53:49 +01:00			`}`

Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`// ApplyProxiedIP applies the given IP to the client.`
initial implementation of bouncer functionality 2019-04-12 06:08:46 +02:00			`func (client Client) ApplyProxiedIP(session Session, proxiedIP string, tls bool) (success bool) {`
add support for tor (#369) 2019-02-26 03:50:43 +01:00			`// PROXY and WEBIRC are never accepted from a Tor listener, even if the address itself`
			`// is whitelisted:`
			`if client.isTor {`
			`return false`
			`}`

Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`// ensure IP is sane`
add sasl-only config option 2019-02-05 06:19:03 +01:00			`parsedProxiedIP := net.ParseIP(proxiedIP).To16()`
Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`if parsedProxiedIP == nil {`
initial implementation of bouncer functionality 2019-04-12 06:08:46 +02:00			`client.Quit(fmt.Sprintf(client.t("Proxied IP address is not valid: [%s]"), proxiedIP), session)`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 06:19:10 +02:00			`return false`
			`}`

Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`isBanned, banMsg := client.server.checkBans(parsedProxiedIP)`
			`if isBanned {`
initial implementation of bouncer functionality 2019-04-12 06:08:46 +02:00			`client.Quit(banMsg, session)`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 06:19:10 +02:00			`return false`
Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`}`

			`// given IP is sane! override the client's current IP`
clean something up in ApplyProxiedIP 2019-02-05 19:44:33 +01:00			`ipstring := parsedProxiedIP.String()`
			`client.server.logger.Info("localconnect-ip", "Accepted proxy IP for client", ipstring)`
			`rawHostname := utils.LookupHostname(ipstring)`

review fixes, bug fixes 2018-04-23 08:38:35 +02:00			`client.stateMutex.Lock()`
clean something up in ApplyProxiedIP 2019-02-05 19:44:33 +01:00			`defer client.stateMutex.Unlock()`
support unix domain sockets 2018-02-01 21:53:49 +01:00			`client.proxiedIP = parsedProxiedIP`
review fixes, bug fixes 2018-04-23 08:38:35 +02:00			`client.rawHostname = rawHostname`
			`// nickmask will be updated when the client completes registration`
WEBIRC: Allow protecting with fingerprint and parse `tls` flag 2017-10-16 00:47:49 +02:00			`// set tls info`
			`client.certfp = ""`
modes refactor, #255 2018-04-23 00:47:10 +02:00			`client.SetMode(modes.TLS, tls)`
WEBIRC: Allow protecting with fingerprint and parse `tls` flag 2017-10-16 00:47:49 +02:00
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 06:19:10 +02:00			`return true`
			`}`

			`// handle the PROXY command: http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt`
			`// PROXY must be sent as the first message in the session and has the syntax:`
			`// PROXY TCP[46] SOURCEIP DESTIP SOURCEPORT DESTPORT\r\n`
			`// unfortunately, an ipv6 SOURCEIP can start with a double colon; in this case,`
			`// the message is invalid IRC and can't be parsed normally, hence the special handling.`
initial implementation of bouncer functionality 2019-04-12 06:08:46 +02:00			`func handleProxyCommand(server Server, client Client, session *Session, line string) (err error) {`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 06:19:10 +02:00			`defer func() {`
			`if err != nil {`
initial implementation of bouncer functionality 2019-04-12 06:08:46 +02:00			`client.Quit(client.t("Bad or unauthorized PROXY command"), session)`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 06:19:10 +02:00			`}`
			`}()`

			`params := strings.Fields(line)`
			`if len(params) != 6 {`
			`return errBadProxyLine`
			`}`

add sasl-only config option 2019-02-05 06:19:03 +01:00			`if utils.IPInNets(client.realIP, server.Config().Server.proxyAllowedFromNets) {`
			`// assume PROXY connections are always secure`
initial implementation of bouncer functionality 2019-04-12 06:08:46 +02:00			`if client.ApplyProxiedIP(session, params[2], true) {`
add sasl-only config option 2019-02-05 06:19:03 +01:00			`return nil`
			`} else {`
			`return errBadProxyLine`
fix PROXY protocol support for IPv6 1. Handle PROXY lines with IPv6 addresses starting with :: (similar to WEBIRC in issue #211) 2. Strip v6 mapping from v4 addresses when handling proxied IPs. 2018-09-03 06:19:10 +02:00			`}`
			`}`

			`// real source IP is not authorized to issue PROXY:`
			`return errBadGatewayAddress`
Allow WEBIRC from specified hosts 2017-10-15 08:18:14 +02:00			`}`