3
0
mirror of https://github.com/ergochat/ergo.git synced 2025-01-20 17:14:08 +01:00

Merge pull request #717 from slingamn/issue716

fix #716
This commit is contained in:
Shivaram Lingamneni 2019-12-25 21:11:53 -05:00 committed by GitHub
commit 68e3b74b79
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 28 additions and 8 deletions

View File

@ -972,7 +972,7 @@ func (am *AccountManager) ChannelsForAccount(account string) (channels []string)
return unmarshalRegisteredChannels(channelStr) return unmarshalRegisteredChannels(channelStr)
} }
func (am *AccountManager) AuthenticateByCertFP(client *Client) error { func (am *AccountManager) AuthenticateByCertFP(client *Client, authzid string) error {
if client.certfp == "" { if client.certfp == "" {
return errAccountInvalidCredentials return errAccountInvalidCredentials
} }
@ -992,6 +992,10 @@ func (am *AccountManager) AuthenticateByCertFP(client *Client) error {
return err return err
} }
if authzid != "" && authzid != account {
return errAuthzidAuthcidMismatch
}
// ok, we found an account corresponding to their certificate // ok, we found an account corresponding to their certificate
clientAccount, err := am.LoadAccount(account) clientAccount, err := am.LoadAccount(account)
if err != nil { if err != nil {

View File

@ -27,6 +27,7 @@ var (
errAccountVerificationInvalidCode = errors.New("Invalid account verification code") errAccountVerificationInvalidCode = errors.New("Invalid account verification code")
errAccountUpdateFailed = errors.New(`Error while updating your account information`) errAccountUpdateFailed = errors.New(`Error while updating your account information`)
errAccountMustHoldNick = errors.New(`You must hold that nickname in order to register it`) errAccountMustHoldNick = errors.New(`You must hold that nickname in order to register it`)
errAuthzidAuthcidMismatch = errors.New(`authcid and authzid must be the same`)
errCallbackFailed = errors.New("Account verification could not be sent") errCallbackFailed = errors.New("Account verification could not be sent")
errCertfpAlreadyExists = errors.New(`An account already exists for your certificate fingerprint`) errCertfpAlreadyExists = errors.New(`An account already exists for your certificate fingerprint`)
errChannelNotOwnedByAccount = errors.New("Channel not owned by the specified account") errChannelNotOwnedByAccount = errors.New("Channel not owned by the specified account")

View File

@ -446,13 +446,14 @@ func authPlainHandler(server *Server, client *Client, mechanism string, value []
} }
func authErrorToMessage(server *Server, err error) (msg string) { func authErrorToMessage(server *Server, err error) (msg string) {
if err == errAccountDoesNotExist || err == errAccountUnverified || err == errAccountInvalidCredentials { switch err {
msg = err.Error() case errAccountDoesNotExist, errAccountUnverified, errAccountInvalidCredentials, errAuthzidAuthcidMismatch:
} else { return err.Error()
default:
// don't expose arbitrary error messages to the user
server.logger.Error("internal", "sasl authentication failure", err.Error()) server.logger.Error("internal", "sasl authentication failure", err.Error())
msg = "Unknown" return "Unknown"
} }
return
} }
// AUTHENTICATE EXTERNAL // AUTHENTICATE EXTERNAL
@ -462,7 +463,21 @@ func authExternalHandler(server *Server, client *Client, mechanism string, value
return false return false
} }
err := server.accounts.AuthenticateByCertFP(client) // EXTERNAL doesn't carry an authentication ID (this is determined from the
// certificate), but does carry an optional authorization ID.
var authzid string
var err error
if len(value) != 0 {
authzid, err = CasefoldName(string(value))
if err != nil {
err = errAuthzidAuthcidMismatch
}
}
if err == nil {
err = server.accounts.AuthenticateByCertFP(client, authzid)
}
if err != nil { if err != nil {
msg := authErrorToMessage(server, err) msg := authErrorToMessage(server, err)
rb.Add(nil, server.name, ERR_SASLFAIL, client.nick, fmt.Sprintf("%s: %s", client.t("SASL authentication failed"), client.t(msg))) rb.Add(nil, server.name, ERR_SASLFAIL, client.nick, fmt.Sprintf("%s: %s", client.t("SASL authentication failed"), client.t(msg)))

View File

@ -536,7 +536,7 @@ func nsIdentifyHandler(server *Server, client *Client, command string, params []
// try certfp // try certfp
if !loginSuccessful && client.certfp != "" { if !loginSuccessful && client.certfp != "" {
err := server.accounts.AuthenticateByCertFP(client) err := server.accounts.AuthenticateByCertFP(client, "")
loginSuccessful = (err == nil) loginSuccessful = (err == nil)
} }