ergo/irc/authscript.go

// Copyright (c) 2020 Shivaram Lingamneni
// released under the MIT license

package irc

import (
	"crypto/x509"
	"encoding/json"
	"encoding/pem"
	"fmt"
	"net"

	"github.com/ergochat/ergo/irc/utils"
)

// JSON-serializable input and output types for the script
type AuthScriptInput struct {
	AccountName string   `json:"accountName,omitempty"`
	Passphrase  string   `json:"passphrase,omitempty"`
	Certfp      string   `json:"certfp,omitempty"`
	PeerCerts   []string `json:"peerCerts,omitempty"`
	peerCerts   []*x509.Certificate
	IP          string `json:"ip,omitempty"`
}

type AuthScriptOutput struct {
	AccountName string `json:"accountName"`
	Success     bool   `json:"success"`
	Error       string `json:"error"`
}

func CheckAuthScript(sem utils.Semaphore, config ScriptConfig, input AuthScriptInput) (output AuthScriptOutput, err error) {
	if sem != nil {
		sem.Acquire()
		defer sem.Release()
	}

	// PEM-encode the peer certificates before applying JSON
	if len(input.peerCerts) != 0 {
		input.PeerCerts = make([]string, len(input.peerCerts))
		for i, cert := range input.peerCerts {
			input.PeerCerts[i] = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}))
		}
	}

	inputBytes, err := json.Marshal(input)
	if err != nil {
		return
	}
	outBytes, err := RunScript(config.Command, config.Args, inputBytes, config.Timeout, config.KillTimeout)
	if err != nil {
		return
	}
	err = json.Unmarshal(outBytes, &output)
	if err != nil {
		return
	}

	if output.Error != "" {
		err = fmt.Errorf("Authentication process reported error: %s", output.Error)
	}
	return
}

type IPScriptResult uint

const (
	IPNotChecked  IPScriptResult = 0
	IPAccepted    IPScriptResult = 1
	IPBanned      IPScriptResult = 2
	IPRequireSASL IPScriptResult = 3
)

type IPScriptInput struct {
	IP string `json:"ip"`
}

type IPScriptOutput struct {
	Result     IPScriptResult `json:"result"`
	BanMessage string         `json:"banMessage"`
	// for caching: the network to which this result is applicable, and a TTL in seconds:
	CacheNet     string `json:"cacheNet"`
	CacheSeconds int    `json:"cacheSeconds"`
	Error        string `json:"error"`
}

func CheckIPBan(sem utils.Semaphore, config ScriptConfig, addr net.IP) (output IPScriptOutput, err error) {
	if sem != nil {
		sem.Acquire()
		defer sem.Release()
	}

	inputBytes, err := json.Marshal(IPScriptInput{IP: addr.String()})
	if err != nil {
		return
	}
	outBytes, err := RunScript(config.Command, config.Args, inputBytes, config.Timeout, config.KillTimeout)
	if err != nil {
		return
	}
	err = json.Unmarshal(outBytes, &output)
	if err != nil {
		return
	}

	if output.Error != "" {
		err = fmt.Errorf("IP ban process reported error: %s", output.Error)
	} else if !(IPAccepted <= output.Result && output.Result <= IPRequireSASL) {
		err = fmt.Errorf("Invalid result from IP checking script: %d", output.Result)
	}

	return
}
fix #1107 2020-06-04 07:18:24 +02:00			`// Copyright (c) 2020 Shivaram Lingamneni`
			`// released under the MIT license`

			`package irc`

			`import (`
fix #414 2020-09-23 08:23:35 +02:00			`"crypto/x509"`
fix #1107 2020-06-04 07:18:24 +02:00			`"encoding/json"`
fix #414 2020-09-23 08:23:35 +02:00			`"encoding/pem"`
fix #1107 2020-06-04 07:18:24 +02:00			`"fmt"`
scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`"net"`

first pass at renaming Oragono to Ergo 2021-05-25 06:34:38 +02:00			`"github.com/ergochat/ergo/irc/utils"`
fix #1107 2020-06-04 07:18:24 +02:00			`)`

			`// JSON-serializable input and output types for the script`
			`type AuthScriptInput struct {`
fix #414 2020-09-23 08:23:35 +02:00			AccountName string `json:"accountName,omitempty"`
			Passphrase string `json:"passphrase,omitempty"`
			Certfp string `json:"certfp,omitempty"`
			PeerCerts []string `json:"peerCerts,omitempty"`
			`peerCerts []*x509.Certificate`
review fix 2020-06-04 08:03:15 +02:00			IP string `json:"ip,omitempty"`
fix #1107 2020-06-04 07:18:24 +02:00			`}`

			`type AuthScriptOutput struct {`
review fix 2020-06-04 08:03:15 +02:00			AccountName string `json:"accountName"`
			Success bool `json:"success"`
			Error string `json:"error"`
fix #1107 2020-06-04 07:18:24 +02:00			`}`

scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`func CheckAuthScript(sem utils.Semaphore, config ScriptConfig, input AuthScriptInput) (output AuthScriptOutput, err error) {`
			`if sem != nil {`
			`sem.Acquire()`
			`defer sem.Release()`
			`}`
fix #1107 2020-06-04 07:18:24 +02:00
fix #414 2020-09-23 08:23:35 +02:00			`// PEM-encode the peer certificates before applying JSON`
			`if len(input.peerCerts) != 0 {`
			`input.PeerCerts = make([]string, len(input.peerCerts))`
			`for i, cert := range input.peerCerts {`
			`input.PeerCerts[i] = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}))`
			`}`
			`}`

fix #1107 2020-06-04 07:18:24 +02:00			`inputBytes, err := json.Marshal(input)`
			`if err != nil {`
			`return`
			`}`
scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`outBytes, err := RunScript(config.Command, config.Args, inputBytes, config.Timeout, config.KillTimeout)`
fix #1107 2020-06-04 07:18:24 +02:00			`if err != nil {`
			`return`
			`}`
scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`err = json.Unmarshal(outBytes, &output)`
fix #1107 2020-06-04 07:18:24 +02:00			`if err != nil {`
			`return`
			`}`

scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`if output.Error != "" {`
			`err = fmt.Errorf("Authentication process reported error: %s", output.Error)`
fix #1107 2020-06-04 07:18:24 +02:00			`}`
scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`return`
			`}`
fix #1107 2020-06-04 07:18:24 +02:00
scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`type IPScriptResult uint`
fix #1107 2020-06-04 07:18:24 +02:00
scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`const (`
			`IPNotChecked IPScriptResult = 0`
			`IPAccepted IPScriptResult = 1`
			`IPBanned IPScriptResult = 2`
			`IPRequireSASL IPScriptResult = 3`
			`)`

			`type IPScriptInput struct {`
			IP string `json:"ip"`
fix #1107 2020-06-04 07:18:24 +02:00			`}`

scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`type IPScriptOutput struct {`
			Result IPScriptResult `json:"result"`
			BanMessage string `json:"banMessage"`
			`// for caching: the network to which this result is applicable, and a TTL in seconds:`
			CacheNet string `json:"cacheNet"`
			CacheSeconds int `json:"cacheSeconds"`
			Error string `json:"error"`
			`}`

			`func CheckIPBan(sem utils.Semaphore, config ScriptConfig, addr net.IP) (output IPScriptOutput, err error) {`
			`if sem != nil {`
			`sem.Acquire()`
			`defer sem.Release()`
fix #1107 2020-06-04 07:18:24 +02:00			`}`

scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`inputBytes, err := json.Marshal(IPScriptInput{IP: addr.String()})`
			`if err != nil {`
			`return`
			`}`
			`outBytes, err := RunScript(config.Command, config.Args, inputBytes, config.Timeout, config.KillTimeout)`
			`if err != nil {`
			`return`
			`}`
			`err = json.Unmarshal(outBytes, &output)`
fix #1107 2020-06-04 07:18:24 +02:00			`if err != nil {`
scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`return`
fix #1107 2020-06-04 07:18:24 +02:00			`}`

scripting API for IP bans See discussion on #68. 2020-09-14 10:28:12 +02:00			`if output.Error != "" {`
			`err = fmt.Errorf("IP ban process reported error: %s", output.Error)`
			`} else if !(IPAccepted <= output.Result && output.Result <= IPRequireSASL) {`
			`err = fmt.Errorf("Invalid result from IP checking script: %d", output.Result)`
			`}`

			`return`
fix #1107 2020-06-04 07:18:24 +02:00			`}`