mirror of
https://github.com/Mikaela/Limnoria.git
synced 2024-11-27 05:09:23 +01:00
Merge branch 'gpgauth' into testing
Conflicts: src/ircdb.py
This commit is contained in:
commit
2d4914bc99
@ -47,4 +47,13 @@ User = conf.registerPlugin('User')
|
||||
# conf.registerGlobalValue(User, 'someConfigVariableName',
|
||||
# registry.Boolean(False, """Help for someConfigVariableName."""))
|
||||
|
||||
conf.registerGroup(User, 'gpg')
|
||||
|
||||
conf.registerGlobalValue(User.gpg, 'enable',
|
||||
registry.Boolean(True, """Determines whether or not users are
|
||||
allowed to use GPG for authentication."""))
|
||||
conf.registerGlobalValue(User.gpg, 'TokenTimeout',
|
||||
registry.PositiveInteger(60*10, """Determines the lifetime of a GPG
|
||||
authentication token (in seconds)."""))
|
||||
|
||||
# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:
|
||||
|
@ -28,9 +28,12 @@
|
||||
###
|
||||
|
||||
import re
|
||||
import uuid
|
||||
import time
|
||||
import fnmatch
|
||||
|
||||
import supybot.conf as conf
|
||||
import supybot.gpg as gpg
|
||||
import supybot.utils as utils
|
||||
import supybot.ircdb as ircdb
|
||||
from supybot.commands import *
|
||||
@ -391,6 +394,121 @@ class User(callbacks.Plugin):
|
||||
remove = wrap(remove, ['private', 'otherUser', 'something',
|
||||
additional('something', '')])
|
||||
|
||||
class gpg(callbacks.Commands):
|
||||
def __init__(self, *args):
|
||||
super(User.gpg, self).__init__(*args)
|
||||
self._tokens = {}
|
||||
|
||||
def callCommand(self, command, irc, msg, *args, **kwargs):
|
||||
if gpg.available and self.registryValue('gpg.enable'):
|
||||
return super(User.gpg, self) \
|
||||
.callCommand(command, irc, msg, *args, **kwargs)
|
||||
else:
|
||||
irc.error(_('GPG features are not enabled.'))
|
||||
|
||||
def _expire_tokens(self):
|
||||
now = time.time()
|
||||
self._tokens = dict(filter(lambda (x,y): y[1]>now,
|
||||
self._tokens.items()))
|
||||
|
||||
@internationalizeDocstring
|
||||
def add(self, irc, msg, args, user, keyid, keyserver):
|
||||
"""<key id> <key server>
|
||||
|
||||
Add a GPG key to your account."""
|
||||
if keyid in user.gpgkeys:
|
||||
irc.error(_('This key is already associated with your '
|
||||
'account.'))
|
||||
return
|
||||
result = gpg.keyring.recv_keys(keyserver, keyid)
|
||||
reply = format(_('%n imported, %i unchanged, %i not imported.'),
|
||||
(result.imported, _('key')),
|
||||
result.unchanged,
|
||||
result.not_imported,
|
||||
[x['fingerprint'] for x in result.results])
|
||||
if result.imported == 1:
|
||||
user.gpgkeys.append(keyid)
|
||||
irc.reply(reply)
|
||||
else:
|
||||
irc.error(reply)
|
||||
add = wrap(add, ['user', 'somethingWithoutSpaces',
|
||||
'somethingWithoutSpaces'])
|
||||
|
||||
@internationalizeDocstring
|
||||
def remove(self, irc, msg, args, user, fingerprint):
|
||||
"""<fingerprint>
|
||||
|
||||
Remove a GPG key from your account."""
|
||||
try:
|
||||
keyids = [x['keyid'] for x in gpg.keyring.list_keys()
|
||||
if x['fingerprint'] == fingerprint]
|
||||
if len(keyids) == 0:
|
||||
raise ValueError
|
||||
for keyid in keyids:
|
||||
user.gpgkeys.remove(keyid)
|
||||
gpg.keyring.delete_keys(fingerprint)
|
||||
irc.replySuccess()
|
||||
except ValueError:
|
||||
irc.error(_('GPG key not associated with your account.'))
|
||||
remove = wrap(remove, ['user', 'somethingWithoutSpaces'])
|
||||
|
||||
@internationalizeDocstring
|
||||
def gettoken(self, irc, msg, args):
|
||||
"""takes no arguments
|
||||
|
||||
Send you a token that you'll have to sign with your key."""
|
||||
self._expire_tokens()
|
||||
token = '{%s}' % str(uuid.uuid4())
|
||||
lifetime = conf.supybot.plugins.User.gpg.TokenTimeout()
|
||||
self._tokens.update({token: (msg.prefix, time.time()+lifetime)})
|
||||
irc.reply(_('Your token is: %s. Please sign it with your '
|
||||
'GPG key, paste it somewhere, and call the \'auth\' '
|
||||
'command with the URL to the (raw) file containing the '
|
||||
'signature.') % token)
|
||||
gettoken = wrap(gettoken, [])
|
||||
|
||||
_auth_re = re.compile(r'-----BEGIN PGP SIGNED MESSAGE-----\r?\n'
|
||||
r'Hash: .*\r?\n\r?\n'
|
||||
r'\s*({[0-9a-z-]+})\s*\r?\n'
|
||||
r'-----BEGIN PGP SIGNATURE-----\r?\n.*'
|
||||
r'\r?\n-----END PGP SIGNATURE-----',
|
||||
re.S)
|
||||
@internationalizeDocstring
|
||||
def auth(self, irc, msg, args, url):
|
||||
"""<url>
|
||||
|
||||
Check the GPG signature at the <url> and authenticates you if
|
||||
the key used is associated to a user."""
|
||||
self._expire_tokens()
|
||||
match = self._auth_re.search(utils.web.getUrl(url))
|
||||
if not match:
|
||||
irc.error(_('Signature or token not found.'), Raise=True)
|
||||
data = match.group(0)
|
||||
token = match.group(1)
|
||||
if token not in self._tokens:
|
||||
irc.error(_('Unknown token. It may have expired before you '
|
||||
'submit it.'), Raise=True)
|
||||
if self._tokens[token][0] != msg.prefix:
|
||||
irc.error(_('Your hostname/nick changed in the process. '
|
||||
'Authentication aborted.'))
|
||||
verified = gpg.keyring.verify(data)
|
||||
if verified and verified.valid:
|
||||
keyid = verified.key_id
|
||||
prefix, expiry = self._tokens.pop(token)
|
||||
found = False
|
||||
for (id, user) in ircdb.users.items():
|
||||
if keyid in map(lambda x:x[-len(keyid):], user.gpgkeys):
|
||||
user.addAuth(msg.prefix)
|
||||
ircdb.users.setUser(user, flush=False)
|
||||
irc.reply(_('You are now authenticated as %s.') %
|
||||
user.name)
|
||||
return
|
||||
irc.error(_('Unknown GPG key.'), Raise=True)
|
||||
else:
|
||||
irc.error(_('Signature could not be verified. Make sure '
|
||||
'this is a valid GPG signature and the URL is valid.'))
|
||||
auth = wrap(auth, ['url'])
|
||||
|
||||
@internationalizeDocstring
|
||||
def capabilities(self, irc, msg, args, user):
|
||||
"""[<name>]
|
||||
|
@ -27,15 +27,67 @@
|
||||
# POSSIBILITY OF SUCH DAMAGE.
|
||||
###
|
||||
|
||||
from supybot.test import *
|
||||
import re
|
||||
from cStringIO import StringIO
|
||||
|
||||
import supybot.gpg as gpg
|
||||
from supybot.test import PluginTestCase, network
|
||||
|
||||
import supybot.conf as conf
|
||||
import supybot.world as world
|
||||
import supybot.ircdb as ircdb
|
||||
import supybot.utils as utils
|
||||
|
||||
PRIVATE_KEY = """
|
||||
-----BEGIN PGP PRIVATE KEY BLOCK-----
|
||||
Version: GnuPG v1.4.12 (GNU/Linux)
|
||||
|
||||
lQHYBFD7GxQBBACeu7bj/wgnnv5NkfHImZJVJLaq2cwKYc3rErv7pqLXpxXZbDOI
|
||||
jP+5eSmTLhPUK67aRD6gG0wQ9iAhYR03weOmyjDGh0eF7kLYhu/4Il56Y/YbB8ll
|
||||
Imz/pep/Hi72ShcW8AtifDup/KeHjaWa1yF2WThHbX/0N2ghSxbJnatpBwARAQAB
|
||||
AAP6Arf7le7FD3ZhGZvIBkPr25qca6i0Qxb5XpOinV7jLcoycZriJ9Xofmhda9UO
|
||||
xhNVppMvs/ofI/m0umnR4GLKtRKnJSc8Edxi4YKyqLehfBTF20R/kBYPZ772FkNW
|
||||
Kzo5yCpP1jpOc0+QqBuU7OmrG4QhQzTLXIUgw4XheORncEECAMGkvR47PslJqzbY
|
||||
VRIzWEv297r1Jxqy6qgcuCJn3RWYJbEZ/qdTYy+MgHGmaNFQ7yhfIzkBueq0RWZp
|
||||
Z4PfJn8CANHZGj6AJZcvb+VclNtc5VNfnKjYD+qQOh2IS8NhE/0umGMKz3frH1TH
|
||||
yCbh2LlPR89cqNcd4QvbHKA/UmzISXkB/37MbUnxXTpS9Y4HNpQCh/6SYlB0lucV
|
||||
QN0cgjfhd6nBrb6uO6+u40nBzgynWcEpPMNfN0AtQeA4Dx+WrnK6kZqfd7QMU3Vw
|
||||
eWJvdCB0ZXN0iLgEEwECACIFAlD7GxQCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
|
||||
AheAAAoJEMnTMjwgrwErV3AD/0kRq8UWPlkc6nyiIR6qiT3EoBNHKIi4cz68Wa1u
|
||||
F2M6einrRR0HolrxonynTGsdr1u2f3egOS4fNfGhTNAowSefYR9q5kIYiYE2DL5G
|
||||
YnjJKNfmnRxZM9YqmEnN50rgu2cifSRehp61fXdTtmOAR3js+9wb73dwbYzr3kIc
|
||||
3WH1
|
||||
=UBcd
|
||||
-----END PGP PRIVATE KEY BLOCK-----
|
||||
"""
|
||||
|
||||
WRONG_TOKEN_SIGNATURE = """
|
||||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA1
|
||||
|
||||
{a95dc112-780e-47f7-a83a-c6f3820d7dc3}
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.12 (GNU/Linux)
|
||||
|
||||
iJwEAQECAAYFAlD7Jb0ACgkQydMyPCCvASv9HgQAhQf/oFMWcKwGncH0hjXC3QYz
|
||||
7ck3chgL3S1pPAvS69viz6i2bwYZYD8fhzHNJ/qtw/rx6thO6PwT4SpdhKerap+I
|
||||
kdem3LjM4fAGHRunHZYP39obNKMn1xv+f26mEAAWxdv/W/BLAFqxi3RijJywRkXm
|
||||
zo5GUl844kpnV+uk0Xk=
|
||||
=z2Cz
|
||||
-----END PGP SIGNATURE-----
|
||||
"""
|
||||
|
||||
FINGERPRINT = '2CF3E41500218D30F0B654F5C9D3323C20AF012B'
|
||||
|
||||
class UserTestCase(PluginTestCase):
|
||||
plugins = ('User', 'Admin', 'Config')
|
||||
prefix1 = 'somethingElse!user@host.tld'
|
||||
prefix2 = 'EvensomethingElse!user@host.tld'
|
||||
|
||||
def setUp(self):
|
||||
super(UserTestCase, self).setUp()
|
||||
gpg.loadKeyring()
|
||||
|
||||
def testHostmaskList(self):
|
||||
self.assertError('hostmask list')
|
||||
original = self.prefix
|
||||
@ -151,5 +203,59 @@ class UserTestCase(PluginTestCase):
|
||||
self.assertNotError('load Seen')
|
||||
self.assertResponse('user list', 'Foo')
|
||||
|
||||
if gpg.available and network:
|
||||
def testGpgAddRemove(self):
|
||||
self.assertNotError('register foo bar')
|
||||
self.assertError('user gpg add 51E516F0B0C5CE6A pgp.mit.edu')
|
||||
self.assertResponse('user gpg add EB17F1E0CEB63930 pgp.mit.edu',
|
||||
'1 key imported, 0 unchanged, 0 not imported.')
|
||||
self.assertNotError(
|
||||
'user gpg remove F88ECDE235846FA8652DAF5FEB17F1E0CEB63930')
|
||||
self.assertResponse('user gpg add EB17F1E0CEB63930 pgp.mit.edu',
|
||||
'1 key imported, 0 unchanged, 0 not imported.')
|
||||
self.assertResponse('user gpg add EB17F1E0CEB63930 pgp.mit.edu',
|
||||
'Error: This key is already associated with your account.')
|
||||
|
||||
if gpg.available:
|
||||
def testGpgAuth(self):
|
||||
self.assertNotError('register spam egg')
|
||||
gpg.keyring.import_keys(PRIVATE_KEY).__dict__
|
||||
(id, user) = ircdb.users.items()[0]
|
||||
user.gpgkeys.append(FINGERPRINT)
|
||||
msg = self.getMsg('gpg gettoken').args[-1]
|
||||
match = re.search('is: ({.*}).', msg)
|
||||
assert match, repr(msg)
|
||||
token = match.group(1)
|
||||
|
||||
def fakeGetUrlFd(*args, **kwargs):
|
||||
return fd
|
||||
(utils.web.getUrlFd, realGetUrlFd) = (fakeGetUrlFd, utils.web.getUrlFd)
|
||||
|
||||
fd = StringIO()
|
||||
fd.write('foo')
|
||||
fd.seek(0)
|
||||
self.assertResponse('gpg auth http://foo.bar/baz.gpg',
|
||||
'Error: Signature or token not found.')
|
||||
|
||||
fd = StringIO()
|
||||
fd.write(token)
|
||||
fd.seek(0)
|
||||
self.assertResponse('gpg auth http://foo.bar/baz.gpg',
|
||||
'Error: Signature or token not found.')
|
||||
|
||||
fd = StringIO()
|
||||
fd.write(WRONG_TOKEN_SIGNATURE)
|
||||
fd.seek(0)
|
||||
self.assertRegexp('gpg auth http://foo.bar/baz.gpg',
|
||||
'Error: Unknown token.*')
|
||||
|
||||
fd = StringIO()
|
||||
fd.write(str(gpg.keyring.sign(token)))
|
||||
fd.seek(0)
|
||||
self.assertResponse('gpg auth http://foo.bar/baz.gpg',
|
||||
'You are now authenticated as spam.')
|
||||
|
||||
utils.web.getUrlFd = realGetUrlFd
|
||||
|
||||
# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:
|
||||
|
||||
|
72
src/gpg.py
Normal file
72
src/gpg.py
Normal file
@ -0,0 +1,72 @@
|
||||
###
|
||||
# Copyright (c) 2012, Valentin Lorentz
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are met:
|
||||
#
|
||||
# * Redistributions of source code must retain the above copyright notice,
|
||||
# this list of conditions, and the following disclaimer.
|
||||
# * Redistributions in binary form must reproduce the above copyright notice,
|
||||
# this list of conditions, and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
# * Neither the name of the author of this software nor the name of
|
||||
# contributors to this software may be used to endorse or promote products
|
||||
# derived from this software without specific prior written consent.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
||||
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGE.
|
||||
###
|
||||
|
||||
import os
|
||||
|
||||
import supybot.log as log
|
||||
import supybot.conf as conf
|
||||
import supybot.world as world
|
||||
|
||||
try:
|
||||
import gnupg
|
||||
except ImportError:
|
||||
# As we do not want Supybot to depend on GnuPG, we will use it only if
|
||||
# it is available. Otherwise, we just don't allow user auth through GPG.
|
||||
log.debug('Cannot import gnupg, using fallback.')
|
||||
gnupg = None
|
||||
|
||||
available = (gnupg is not None)
|
||||
|
||||
def fallback(default_return=None):
|
||||
"""Decorator.
|
||||
Does nothing if gnupg is loaded. Otherwise, returns the supplied
|
||||
default value."""
|
||||
def decorator(f):
|
||||
if available:
|
||||
def newf(*args, **kwargs):
|
||||
return f(*args, **kwargs)
|
||||
else:
|
||||
def newf(*args, **kwargs):
|
||||
return default_return
|
||||
return newf
|
||||
return decorator
|
||||
|
||||
@fallback()
|
||||
def loadKeyring():
|
||||
global keyring
|
||||
path = os.path.abspath(conf.supybot.directories.data.dirize('GPGkeyring'))
|
||||
if not os.path.isdir(path):
|
||||
log.info('Creating directory %s' % path)
|
||||
os.mkdir(path, 0700)
|
||||
assert os.path.isdir(path)
|
||||
keyring = gnupg.GPG(gnupghome=path)
|
||||
loadKeyring()
|
||||
|
||||
# Reload the keyring if path changed
|
||||
conf.supybot.directories.data.addCallback(loadKeyring)
|
@ -225,6 +225,7 @@ class IrcUser(object):
|
||||
self.nicks = {} # {'network1': ['foo', 'bar'], 'network': ['baz']}
|
||||
else:
|
||||
self.nicks = nicks
|
||||
self.gpgkeys = [] # GPG key ids
|
||||
|
||||
def __repr__(self):
|
||||
return format('%s(id=%s, ignore=%s, password="", name=%q, hashed=%r, '
|
||||
@ -357,6 +358,8 @@ class IrcUser(object):
|
||||
write('hostmask %s' % hostmask)
|
||||
for network, nicks in self.nicks.items():
|
||||
write('nicks %s %s' % (network, ' '.join(nicks)))
|
||||
for key in self.gpgkeys:
|
||||
write('gpgkey %s' % key)
|
||||
fd.write(os.linesep)
|
||||
|
||||
|
||||
@ -537,6 +540,10 @@ class IrcUserCreator(Creator):
|
||||
self._checkId()
|
||||
self.u.capabilities.add(rest)
|
||||
|
||||
def gpgkey(self, rest, lineno):
|
||||
self._checkId()
|
||||
self.u.gpgkeys.append(rest)
|
||||
|
||||
def finish(self):
|
||||
if self.u.name:
|
||||
try:
|
||||
|
Loading…
Reference in New Issue
Block a user