mirror of
https://github.com/ergochat/ergo.git
synced 2024-12-28 05:32:49 +01:00
Merge pull request #1187 from slingamn/defcon.2
fix #328 (implement DEFCON)
This commit is contained in:
commit
205e8c1b76
@ -553,6 +553,7 @@ oper-classes:
|
||||
- "vhosts"
|
||||
- "chanreg"
|
||||
- "history"
|
||||
- "defcon"
|
||||
|
||||
# ircd operators
|
||||
opers:
|
||||
|
@ -579,6 +579,7 @@ oper-classes:
|
||||
- "vhosts"
|
||||
- "chanreg"
|
||||
- "history"
|
||||
- "defcon"
|
||||
|
||||
# ircd operators
|
||||
opers:
|
||||
|
@ -380,8 +380,8 @@ func (am *AccountManager) Register(client *Client, account string, callbackNames
|
||||
|
||||
config := am.server.Config()
|
||||
|
||||
// final "is registration allowed" check, probably redundant:
|
||||
if !(config.Accounts.Registration.Enabled || callbackNamespace == "admin") {
|
||||
// final "is registration allowed" check:
|
||||
if !(config.Accounts.Registration.Enabled || callbackNamespace == "admin") || am.server.Defcon() <= 4 {
|
||||
return errFeatureDisabled
|
||||
}
|
||||
|
||||
@ -1642,6 +1642,11 @@ func (am *AccountManager) performVHostChange(account string, munger vhostMunger)
|
||||
return
|
||||
}
|
||||
|
||||
if am.server.Defcon() <= 3 {
|
||||
err = errFeatureDisabled
|
||||
return
|
||||
}
|
||||
|
||||
am.vHostUpdateMutex.Lock()
|
||||
defer am.vHostUpdateMutex.Unlock()
|
||||
|
||||
|
@ -706,7 +706,8 @@ func (channel *Channel) Join(client *Client, key string, isSajoin bool, rb *Resp
|
||||
return errBanned
|
||||
}
|
||||
|
||||
if channel.flags.HasMode(modes.RegisteredOnly) && details.account == "" {
|
||||
if details.account == "" &&
|
||||
(channel.flags.HasMode(modes.RegisteredOnly) || channel.server.Defcon() <= 2) {
|
||||
return errRegisteredOnly
|
||||
}
|
||||
}
|
||||
|
@ -187,6 +187,10 @@ func (cm *ChannelManager) Cleanup(channel *Channel) {
|
||||
}
|
||||
|
||||
func (cm *ChannelManager) SetRegistered(channelName string, account string) (err error) {
|
||||
if cm.server.Defcon() <= 4 {
|
||||
return errFeatureDisabled
|
||||
}
|
||||
|
||||
var channel *Channel
|
||||
cfname, err := CasefoldChannel(channelName)
|
||||
if err != nil {
|
||||
|
@ -529,7 +529,7 @@ const (
|
||||
authFailSaslRequired
|
||||
)
|
||||
|
||||
func (client *Client) isAuthorized(config *Config, session *Session) AuthOutcome {
|
||||
func (client *Client) isAuthorized(server *Server, config *Config, session *Session) AuthOutcome {
|
||||
saslSent := client.account != ""
|
||||
// PASS requirement
|
||||
if (config.Server.passwordBytes != nil) && session.passStatus != serverPassSuccessful && !(config.Accounts.SkipServerPassword && saslSent) {
|
||||
@ -540,7 +540,8 @@ func (client *Client) isAuthorized(config *Config, session *Session) AuthOutcome
|
||||
return authFailTorSaslRequired
|
||||
}
|
||||
// finally, enforce require-sasl
|
||||
if config.Accounts.RequireSasl.Enabled && !saslSent && !utils.IPInNets(session.IP(), config.Accounts.RequireSasl.exemptedNets) {
|
||||
if !saslSent && (config.Accounts.RequireSasl.Enabled || server.Defcon() <= 2) &&
|
||||
!utils.IPInNets(session.IP(), config.Accounts.RequireSasl.exemptedNets) {
|
||||
return authFailSaslRequired
|
||||
}
|
||||
return authSuccess
|
||||
|
@ -124,6 +124,10 @@ func init() {
|
||||
minParams: 1,
|
||||
oper: true,
|
||||
},
|
||||
"DEFCON": {
|
||||
handler: defconHandler,
|
||||
capabs: []string{"defcon"},
|
||||
},
|
||||
"DEOPER": {
|
||||
handler: deoperHandler,
|
||||
minParams: 0,
|
||||
|
@ -37,6 +37,14 @@ func (server *Server) Languages() (lm *languages.Manager) {
|
||||
return server.Config().languageManager
|
||||
}
|
||||
|
||||
func (server *Server) Defcon() uint32 {
|
||||
return atomic.LoadUint32(&server.defcon)
|
||||
}
|
||||
|
||||
func (server *Server) SetDefcon(defcon uint32) {
|
||||
atomic.StoreUint32(&server.defcon, defcon)
|
||||
}
|
||||
|
||||
func (client *Client) Sessions() (sessions []*Session) {
|
||||
client.stateMutex.RLock()
|
||||
sessions = client.sessions
|
||||
|
@ -759,6 +759,21 @@ func debugHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *Res
|
||||
return false
|
||||
}
|
||||
|
||||
func defconHandler(server *Server, client *Client, msg ircmsg.IrcMessage, rb *ResponseBuffer) bool {
|
||||
if len(msg.Params) > 0 {
|
||||
level, err := strconv.Atoi(msg.Params[0])
|
||||
if err == nil && 1 <= level && level <= 5 {
|
||||
server.SetDefcon(uint32(level))
|
||||
server.snomasks.Send(sno.LocalAnnouncements, fmt.Sprintf("%s [%s] set DEFCON level to %d", client.Nick(), client.Oper().Name, level))
|
||||
} else {
|
||||
rb.Add(nil, server.name, ERR_UNKNOWNERROR, client.Nick(), msg.Command, client.t("Invalid DEFCON parameter"))
|
||||
return false
|
||||
}
|
||||
}
|
||||
rb.Notice(fmt.Sprintf(client.t("Current DEFCON level is %d"), server.Defcon()))
|
||||
return false
|
||||
}
|
||||
|
||||
// helper for parsing the reason args to DLINE and KLINE
|
||||
func getReasonsFromParams(params []string, currentArg int) (reason, operReason string) {
|
||||
reason = "No reason given"
|
||||
@ -2052,6 +2067,10 @@ func dispatchMessageToTarget(client *Client, tags map[string]string, histType hi
|
||||
tnick := tDetails.nick
|
||||
|
||||
details := client.Details()
|
||||
if details.account == "" && server.Defcon() <= 3 {
|
||||
rb.Add(nil, server.name, ERR_NEEDREGGEDNICK, client.Nick(), tnick, client.t("Direct messages from unregistered users are temporarily restricted"))
|
||||
return
|
||||
}
|
||||
nickMaskString := details.nickMask
|
||||
accountName := details.accountName
|
||||
var deliverySessions []*Session
|
||||
|
14
irc/help.go
14
irc/help.go
@ -164,6 +164,20 @@ Provides various debugging commands for the IRCd. <option> can be one of:
|
||||
* STOPCPUPROFILE: Stops the CPU profiler.
|
||||
* PROFILEHEAP: Writes a memory profile.
|
||||
* CRASHSERVER: Crashes the server (for use in failover testing)`,
|
||||
},
|
||||
"defcon": {
|
||||
oper: true,
|
||||
text: `DEFCON [level]
|
||||
|
||||
The DEFCON system can disable server features at runtime, to mitigate
|
||||
spam or other hostile activity. It has five levels, which are cumulative
|
||||
(i.e., level 3 includes all restrictions from level 4 and so on):
|
||||
|
||||
5: Normal operation
|
||||
4: No new account or channel registrations
|
||||
3: All users are +R; no changes to vhosts
|
||||
2: No new unauthenticated connections; all channels are +R
|
||||
1: No new connections except from localhost or other trusted IPs`,
|
||||
},
|
||||
"deoper": {
|
||||
oper: true,
|
||||
|
@ -80,6 +80,7 @@ type Server struct {
|
||||
whoWas WhoWasList
|
||||
stats Stats
|
||||
semaphores ServerSemaphores
|
||||
defcon uint32
|
||||
}
|
||||
|
||||
// NewServer returns a new Oragono server.
|
||||
@ -91,6 +92,7 @@ func NewServer(config *Config, logger *logger.Manager) (*Server, error) {
|
||||
logger: logger,
|
||||
rehashSignal: make(chan os.Signal, 1),
|
||||
signals: make(chan os.Signal, len(ServerExitSignals)),
|
||||
defcon: 5,
|
||||
}
|
||||
|
||||
server.clients.Initialize()
|
||||
@ -149,6 +151,12 @@ func (server *Server) Run() {
|
||||
}
|
||||
|
||||
func (server *Server) checkBans(ipaddr net.IP) (banned bool, message string) {
|
||||
if server.Defcon() == 1 {
|
||||
if !(ipaddr.IsLoopback() || utils.IPInNets(ipaddr, server.Config().Server.secureNets)) {
|
||||
return true, "New connections to this server are temporarily restricted"
|
||||
}
|
||||
}
|
||||
|
||||
// check DLINEs
|
||||
isBanned, info := server.dlines.CheckIP(ipaddr)
|
||||
if isBanned {
|
||||
@ -220,7 +228,8 @@ func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
|
||||
|
||||
// client MUST send PASS if necessary, or authenticate with SASL if necessary,
|
||||
// before completing the other registration commands
|
||||
authOutcome := c.isAuthorized(server.Config(), session)
|
||||
config := server.Config()
|
||||
authOutcome := c.isAuthorized(server, config, session)
|
||||
var quitMessage string
|
||||
switch authOutcome {
|
||||
case authFailPass:
|
||||
@ -270,7 +279,7 @@ func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
|
||||
// Apply default user modes (without updating the invisible counter)
|
||||
// The number of invisible users will be updated by server.stats.Register
|
||||
// if we're using default user mode +i.
|
||||
for _, defaultMode := range server.Config().Accounts.defaultUserModes {
|
||||
for _, defaultMode := range config.Accounts.defaultUserModes {
|
||||
c.SetMode(defaultMode, true)
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user