mirror of
https://github.com/ergochat/ergo.git
synced 2024-11-24 21:09:30 +01:00
480 lines
15 KiB
Go
480 lines
15 KiB
Go
// Copyright (c) 2021 Shivaram Lingamneni
|
|
// released under the MIT license
|
|
|
|
package irc
|
|
|
|
import (
|
|
"fmt"
|
|
"regexp"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/ergochat/irc-go/ircmsg"
|
|
|
|
"github.com/ergochat/ergo/irc/custime"
|
|
"github.com/ergochat/ergo/irc/flatip"
|
|
"github.com/ergochat/ergo/irc/sno"
|
|
"github.com/ergochat/ergo/irc/utils"
|
|
)
|
|
|
|
func consumeDuration(params []string, rb *ResponseBuffer) (duration time.Duration, requireSASL bool, remainingParams []string, err error) {
|
|
remainingParams = params
|
|
for {
|
|
if duration == 0 && 2 <= len(remainingParams) && strings.ToLower(remainingParams[0]) == "duration" {
|
|
duration, err = custime.ParseDuration(remainingParams[1])
|
|
if err != nil {
|
|
rb.Notice(rb.session.client.t("Invalid time duration for NS SUSPEND"))
|
|
return
|
|
}
|
|
remainingParams = remainingParams[2:]
|
|
continue
|
|
}
|
|
if !requireSASL && 1 <= len(remainingParams) && strings.ToLower(remainingParams[0]) == "require-sasl" {
|
|
requireSASL = true
|
|
remainingParams = remainingParams[1:]
|
|
continue
|
|
}
|
|
break
|
|
}
|
|
return
|
|
}
|
|
|
|
// a UBAN target is one of these syntactically unambiguous entities:
|
|
// an IP, a CIDR, a NUH mask, or an account name
|
|
type ubanType uint
|
|
|
|
const (
|
|
ubanCIDR ubanType = iota
|
|
ubanNickmask
|
|
ubanNick
|
|
)
|
|
|
|
// tagged union, i guess
|
|
type ubanTarget struct {
|
|
banType ubanType
|
|
|
|
cidr flatip.IPNet
|
|
matcher *regexp.Regexp
|
|
nickOrMask string
|
|
}
|
|
|
|
func parseUbanTarget(param string) (target ubanTarget, err error) {
|
|
if utils.SafeErrorParam(param) == "*" {
|
|
err = errInvalidParams
|
|
return
|
|
}
|
|
|
|
ipnet, ipErr := flatip.ParseToNormalizedNet(param)
|
|
if ipErr == nil {
|
|
target.banType = ubanCIDR
|
|
target.cidr = ipnet
|
|
return
|
|
}
|
|
|
|
if strings.IndexByte(param, '!') != -1 || strings.IndexByte(param, '@') != -1 {
|
|
canonicalized, cErr := CanonicalizeMaskWildcard(param)
|
|
if cErr != nil {
|
|
err = errInvalidParams
|
|
return
|
|
}
|
|
re, reErr := utils.CompileGlob(canonicalized, false)
|
|
if reErr != nil {
|
|
err = errInvalidParams
|
|
return
|
|
}
|
|
target.banType = ubanNickmask
|
|
target.nickOrMask = canonicalized
|
|
target.matcher = re
|
|
return
|
|
}
|
|
|
|
if _, cErr := CasefoldName(param); cErr == nil {
|
|
target.banType = ubanNick
|
|
target.nickOrMask = param
|
|
return
|
|
}
|
|
|
|
err = errInvalidParams
|
|
return
|
|
}
|
|
|
|
// UBAN <subcommand> [target] [DURATION <duration>] [reason...]
|
|
func ubanHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
|
|
subcommand := strings.ToLower(msg.Params[0])
|
|
params := msg.Params[1:]
|
|
var target ubanTarget
|
|
if subcommand != "list" {
|
|
if len(msg.Params) == 1 {
|
|
rb.Add(nil, client.server.name, "FAIL", "UBAN", "INVALID_PARAMS", client.t("Not enough parameters"))
|
|
return false
|
|
}
|
|
var parseErr error
|
|
target, parseErr = parseUbanTarget(params[0])
|
|
if parseErr != nil {
|
|
rb.Add(nil, client.server.name, "FAIL", "UBAN", "INVALID_PARAMS", client.t("Couldn't parse ban target"))
|
|
return false
|
|
}
|
|
params = params[1:]
|
|
}
|
|
|
|
switch subcommand {
|
|
case "add":
|
|
return ubanAddHandler(client, target, params, rb)
|
|
case "del", "remove", "rm":
|
|
return ubanDelHandler(client, target, params, rb)
|
|
case "list":
|
|
return ubanListHandler(client, params, rb)
|
|
case "info":
|
|
return ubanInfoHandler(client, target, params, rb)
|
|
default:
|
|
rb.Add(nil, server.name, "FAIL", "UBAN", "UNKNOWN_COMMAND", client.t("Unknown command"))
|
|
return false
|
|
}
|
|
}
|
|
|
|
func sessionsForCIDR(server *Server, cidr flatip.IPNet, exclude *Session, requireSASL bool) (sessions []*Session, nicks []string) {
|
|
for _, client := range server.clients.AllClients() {
|
|
if requireSASL && client.Account() != "" {
|
|
continue
|
|
}
|
|
for _, session := range client.Sessions() {
|
|
seen := false
|
|
if session != exclude && cidr.Contains(flatip.FromNetIP(session.IP())) {
|
|
sessions = append(sessions, session)
|
|
if !seen {
|
|
seen = true
|
|
nicks = append(nicks, session.client.Nick())
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
func ubanAddHandler(client *Client, target ubanTarget, params []string, rb *ResponseBuffer) bool {
|
|
duration, requireSASL, params, err := consumeDuration(params, rb)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
operReason := strings.Join(params, " ")
|
|
|
|
switch target.banType {
|
|
case ubanCIDR:
|
|
err = ubanAddCIDR(client, target, duration, requireSASL, operReason, rb)
|
|
case ubanNickmask:
|
|
err = ubanAddNickmask(client, target, duration, operReason, rb)
|
|
case ubanNick:
|
|
err = ubanAddAccount(client, target, duration, operReason, rb)
|
|
}
|
|
if err == nil {
|
|
announceUban(client, true, target, duration, requireSASL, operReason)
|
|
}
|
|
return false
|
|
}
|
|
|
|
func announceUban(client *Client, add bool, target ubanTarget, duration time.Duration, requireSASL bool, operReason string) {
|
|
oper := client.Oper()
|
|
if oper == nil {
|
|
return
|
|
}
|
|
operName := oper.Name
|
|
|
|
var buf strings.Builder
|
|
fmt.Fprintf(&buf, "Operator %s", operName)
|
|
|
|
if add {
|
|
buf.WriteString(" added")
|
|
} else {
|
|
buf.WriteString(" removed")
|
|
}
|
|
switch target.banType {
|
|
case ubanCIDR:
|
|
buf.WriteString(" an IP-based")
|
|
case ubanNickmask:
|
|
buf.WriteString(" a NUH-mask")
|
|
case ubanNick:
|
|
buf.WriteString(" an account suspension")
|
|
}
|
|
buf.WriteString(" UBAN against ")
|
|
switch target.banType {
|
|
case ubanCIDR:
|
|
buf.WriteString(target.cidr.String())
|
|
case ubanNickmask, ubanNick:
|
|
buf.WriteString(target.nickOrMask)
|
|
}
|
|
if duration != 0 {
|
|
fmt.Fprintf(&buf, " [duration: %v]", duration)
|
|
}
|
|
if requireSASL {
|
|
buf.WriteString(" [require-SASL]")
|
|
}
|
|
if operReason != "" {
|
|
fmt.Fprintf(&buf, " [reason: %s]", operReason)
|
|
}
|
|
line := buf.String()
|
|
client.server.snomasks.Send(sno.LocalXline, line)
|
|
client.server.logger.Info("opers", line)
|
|
}
|
|
|
|
func ubanAddCIDR(client *Client, target ubanTarget, duration time.Duration, requireSASL bool, operReason string, rb *ResponseBuffer) (err error) {
|
|
err = client.server.dlines.AddNetwork(target.cidr, duration, requireSASL, "", operReason, client.Oper().Name)
|
|
if err == nil {
|
|
rb.Notice(fmt.Sprintf(client.t("Successfully added UBAN for %s"), target.cidr.HumanReadableString()))
|
|
} else {
|
|
client.server.logger.Error("internal", "ubanAddCIDR failed", err.Error())
|
|
rb.Notice(client.t("An error occurred"))
|
|
return
|
|
}
|
|
|
|
sessions, nicks := sessionsForCIDR(client.server, target.cidr, rb.session, requireSASL)
|
|
for _, session := range sessions {
|
|
session.client.Quit("You have been banned from this server", session)
|
|
session.client.destroy(session)
|
|
}
|
|
|
|
if len(sessions) != 0 {
|
|
rb.Notice(fmt.Sprintf(client.t("Killed %[1]d active client(s) from %[2]s, associated with %[3]d nickname(s):"), len(sessions), target.cidr.String(), len(nicks)))
|
|
for _, line := range utils.BuildTokenLines(400, nicks, " ") {
|
|
rb.Notice(line)
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
func ubanAddNickmask(client *Client, target ubanTarget, duration time.Duration, operReason string, rb *ResponseBuffer) (err error) {
|
|
err = client.server.klines.AddMask(target.nickOrMask, duration, "", operReason, client.Oper().Name)
|
|
if err == nil {
|
|
rb.Notice(fmt.Sprintf(client.t("Successfully added UBAN for %s"), target.nickOrMask))
|
|
} else {
|
|
client.server.logger.Error("internal", "ubanAddNickmask failed", err.Error())
|
|
rb.Notice(client.t("An error occurred"))
|
|
return
|
|
}
|
|
|
|
var killed []string
|
|
var alwaysOn []string
|
|
for _, mcl := range client.server.clients.AllClients() {
|
|
if mcl != client && target.matcher.MatchString(mcl.NickMaskCasefolded()) {
|
|
if !mcl.AlwaysOn() {
|
|
killed = append(killed, mcl.Nick())
|
|
mcl.Quit("You have been banned from this server", nil)
|
|
mcl.destroy(nil)
|
|
} else {
|
|
alwaysOn = append(alwaysOn, mcl.Nick())
|
|
}
|
|
}
|
|
}
|
|
if len(killed) != 0 {
|
|
rb.Notice(fmt.Sprintf(client.t("Killed %d clients:"), len(killed)))
|
|
for _, line := range utils.BuildTokenLines(400, killed, " ") {
|
|
rb.Notice(line)
|
|
}
|
|
}
|
|
if len(alwaysOn) != 0 {
|
|
rb.Notice(fmt.Sprintf(client.t("Warning: %d clients matched this rule, but were not killed due to being always-on:"), len(alwaysOn)))
|
|
for _, line := range utils.BuildTokenLines(400, alwaysOn, " ") {
|
|
rb.Notice(line)
|
|
}
|
|
rb.Notice(client.t("You can suspend their accounts instead; try /UBAN ADD <nickname>"))
|
|
}
|
|
return
|
|
}
|
|
|
|
func ubanAddAccount(client *Client, target ubanTarget, duration time.Duration, operReason string, rb *ResponseBuffer) (err error) {
|
|
account := target.nickOrMask
|
|
// TODO this doesn't enumerate all sessions if ForceNickEqualsAccount is disabled
|
|
var sessionData []SessionData
|
|
if mcl := client.server.clients.Get(account); mcl != nil {
|
|
sessionData, _ = mcl.AllSessionData(nil, true)
|
|
}
|
|
|
|
err = client.server.accounts.Suspend(account, duration, client.Oper().Name, operReason)
|
|
switch err {
|
|
case nil:
|
|
rb.Notice(fmt.Sprintf(client.t("Successfully suspended account %s"), account))
|
|
if len(sessionData) != 0 {
|
|
rb.Notice(fmt.Sprintf(client.t("Disconnected %d client(s) associated with the account, using the following IPs:"), len(sessionData)))
|
|
for i, d := range sessionData {
|
|
rb.Notice(fmt.Sprintf("%d. %s", i+1, d.ip.String()))
|
|
}
|
|
}
|
|
case errAccountDoesNotExist:
|
|
rb.Notice(client.t("No such account"))
|
|
default:
|
|
rb.Notice(client.t("An error occurred"))
|
|
}
|
|
return
|
|
}
|
|
|
|
func ubanDelHandler(client *Client, target ubanTarget, params []string, rb *ResponseBuffer) bool {
|
|
var err error
|
|
var targetString string
|
|
switch target.banType {
|
|
case ubanCIDR:
|
|
if target.cidr.PrefixLen == 128 {
|
|
client.server.connectionLimiter.ResetThrottle(target.cidr.IP)
|
|
rb.Notice(fmt.Sprintf(client.t("Reset throttle for IP: %s"), target.cidr.IP.String()))
|
|
}
|
|
targetString = target.cidr.HumanReadableString()
|
|
err = client.server.dlines.RemoveNetwork(target.cidr)
|
|
case ubanNickmask:
|
|
targetString = target.nickOrMask
|
|
err = client.server.klines.RemoveMask(target.nickOrMask)
|
|
case ubanNick:
|
|
targetString = target.nickOrMask
|
|
err = client.server.accounts.Unsuspend(target.nickOrMask)
|
|
}
|
|
if err == nil {
|
|
rb.Notice(fmt.Sprintf(client.t("Successfully removed ban on %s"), targetString))
|
|
announceUban(client, false, target, 0, false, "")
|
|
} else {
|
|
rb.Notice(fmt.Sprintf(client.t("Could not remove ban: %v"), err))
|
|
}
|
|
return false
|
|
}
|
|
|
|
func ubanListHandler(client *Client, params []string, rb *ResponseBuffer) bool {
|
|
allDlines := client.server.dlines.AllBans()
|
|
rb.Notice(fmt.Sprintf(client.t("There are %d active IP/network ban(s) (DLINEs)"), len(allDlines)))
|
|
for key, info := range allDlines {
|
|
rb.Notice(formatBanForListing(client, key, info))
|
|
}
|
|
rb.Notice(client.t("Some IPs may also be prevented from connecting by the connection limiter and/or throttler"))
|
|
|
|
allKlines := client.server.klines.AllBans()
|
|
rb.Notice(fmt.Sprintf(client.t("There are %d active ban(s) on nick-user-host masks (KLINEs)"), len(allKlines)))
|
|
for key, info := range allKlines {
|
|
rb.Notice(formatBanForListing(client, key, info))
|
|
}
|
|
|
|
listAccountSuspensions(client, rb, client.server.name)
|
|
|
|
return false
|
|
}
|
|
|
|
func ubanInfoHandler(client *Client, target ubanTarget, params []string, rb *ResponseBuffer) bool {
|
|
switch target.banType {
|
|
case ubanCIDR:
|
|
ubanInfoCIDR(client, target, rb)
|
|
case ubanNickmask:
|
|
ubanInfoNickmask(client, target, rb)
|
|
case ubanNick:
|
|
ubanInfoNick(client, target, rb)
|
|
}
|
|
return false
|
|
}
|
|
|
|
func ubanInfoCIDR(client *Client, target ubanTarget, rb *ResponseBuffer) {
|
|
config := client.server.Config()
|
|
// show connection limiter/throttler state if this CIDR is entirely
|
|
// contained in a single limiter/throttler bucket:
|
|
ones, bits := target.cidr.Size()
|
|
showLimiter := (bits == 32 && ones >= config.Server.IPLimits.CidrLenIPv4) ||
|
|
(bits == 128 && ones >= config.Server.IPLimits.CidrLenIPv6)
|
|
sendMaskWarning := (bits == 128 && ones > config.Server.IPLimits.CidrLenIPv6)
|
|
if showLimiter {
|
|
netName, status := client.server.connectionLimiter.Status(target.cidr.IP)
|
|
if status.Exempt {
|
|
rb.Notice(fmt.Sprintf(client.t("IP %s is exempt from connection limits"), target.cidr.IP.String()))
|
|
} else {
|
|
rb.Notice(fmt.Sprintf(client.t("Network %[1]s has %[2]d active connections out of a maximum of %[3]d"), netName, status.Count, status.MaxCount))
|
|
rb.Notice(fmt.Sprintf(client.t("Network %[1]s has had %[2]d connection attempts in the past %[3]v, out of a maximum of %[4]d"), netName, status.Throttle, status.ThrottleDuration, status.MaxPerWindow))
|
|
}
|
|
}
|
|
|
|
str := target.cidr.HumanReadableString()
|
|
isBanned, banInfo := client.server.dlines.CheckIP(target.cidr.IP)
|
|
if isBanned {
|
|
rb.Notice(formatBanForListing(client, str, banInfo))
|
|
} else {
|
|
rb.Notice(fmt.Sprintf(client.t("There is no active IP ban against %s"), str))
|
|
}
|
|
|
|
sessions, nicks := sessionsForCIDR(client.server, target.cidr, nil, false)
|
|
if len(sessions) != 0 {
|
|
rb.Notice(fmt.Sprintf(client.t("There are %[1]d active client(s) from %[2]s, associated with %[3]d nickname(s):"), len(sessions), target.cidr.String(), len(nicks)))
|
|
for _, line := range utils.BuildTokenLines(400, nicks, " ") {
|
|
rb.Notice(line)
|
|
}
|
|
}
|
|
if sendMaskWarning {
|
|
rb.Notice(fmt.Sprintf(client.t("Note: try evaluating a wider IPv6 CIDR like %s/%d"),
|
|
target.cidr.IP.String(), config.Server.IPLimits.CidrLenIPv6))
|
|
}
|
|
}
|
|
|
|
func ubanInfoNickmask(client *Client, target ubanTarget, rb *ResponseBuffer) {
|
|
isBanned, info := client.server.klines.ContainsMask(target.nickOrMask)
|
|
if isBanned {
|
|
rb.Notice(formatBanForListing(client, target.nickOrMask, info))
|
|
} else {
|
|
rb.Notice(fmt.Sprintf(client.t("No ban exists for %[1]s"), target.nickOrMask))
|
|
}
|
|
|
|
affectedCount := 0
|
|
alwaysOnCount := 0
|
|
for _, mcl := range client.server.clients.AllClients() {
|
|
matches := false
|
|
for _, mask := range mcl.AllNickmasks() {
|
|
if target.matcher.MatchString(mask) {
|
|
matches = true
|
|
break
|
|
}
|
|
}
|
|
if matches {
|
|
if mcl.AlwaysOn() {
|
|
alwaysOnCount++
|
|
} else {
|
|
affectedCount++
|
|
}
|
|
}
|
|
}
|
|
|
|
rb.Notice(fmt.Sprintf(client.t("Adding this mask would affect %[1]d clients (an additional %[2]d clients are exempt due to always-on)"), affectedCount, alwaysOnCount))
|
|
}
|
|
|
|
func ubanInfoNick(client *Client, target ubanTarget, rb *ResponseBuffer) {
|
|
mcl := client.server.clients.Get(target.nickOrMask)
|
|
if mcl != nil {
|
|
details := mcl.Details()
|
|
sessions := mcl.Sessions()
|
|
ip := mcl.IP()
|
|
sendIPBanWarning := false
|
|
if details.account == "" {
|
|
rb.Notice(fmt.Sprintf(client.t("Client %[1]s is unauthenticated and connected from %[2]s"), details.nick, ip.String()))
|
|
sendIPBanWarning = true
|
|
} else {
|
|
rb.Notice(fmt.Sprintf(client.t("Client %[1]s is logged into account %[2]s and has %[3]d active clients (see /NICKSERV CLIENTS LIST %[4]s for more info)"), details.nick, details.accountName, len(mcl.Sessions()), details.nick))
|
|
if !ip.IsLoopback() && len(sessions) == 1 {
|
|
rb.Notice(fmt.Sprintf(client.t("Client %[1]s is associated with IP %[2]s"), details.nick, ip.String()))
|
|
sendIPBanWarning = true
|
|
}
|
|
}
|
|
if sendIPBanWarning {
|
|
rb.Notice(client.t("Warning: banning this IP or a network that contains it may affect other users. Use /UBAN INFO on the candidate IP or network for more information."))
|
|
}
|
|
} else {
|
|
rb.Notice(fmt.Sprintf(client.t("No client is currently using that nickname")))
|
|
}
|
|
|
|
account, err := client.server.accounts.LoadAccount(target.nickOrMask)
|
|
if err != nil {
|
|
if err == errAccountDoesNotExist {
|
|
rb.Notice(fmt.Sprintf(client.t("There is no account registered for %s"), target.nickOrMask))
|
|
} else {
|
|
rb.Notice(fmt.Sprintf(client.t("Couldn't load account: %v"), err.Error()))
|
|
}
|
|
return
|
|
}
|
|
if account.Verified {
|
|
if account.Suspended == nil {
|
|
rb.Notice(fmt.Sprintf(client.t("Account %[1]s is in good standing; see /NICKSERV INFO %[2]s for more details"), target.nickOrMask, target.nickOrMask))
|
|
} else {
|
|
rb.Notice(fmt.Sprintf(client.t("Account %[1]s has been suspended: %[2]s"), target.nickOrMask, suspensionToString(client, *account.Suspended)))
|
|
}
|
|
} else {
|
|
rb.Notice(fmt.Sprintf(client.t("Account %[1]s was created, but has not been verified"), target.nickOrMask))
|
|
}
|
|
}
|