3 # :title: User management
\r
5 # rbot user management
\r
6 # Author:: Giuseppe Bilotta (giuseppe.bilotta@gmail.com)
\r
7 # Copyright:: Copyright (c) 2006 Giuseppe Bilotta
\r
17 # This module contains the actual Authentication stuff
\r
21 BotConfig.register BotConfigStringValue.new( 'auth.password',
\r
22 :default => 'rbotauth', :wizard => true,
\r
23 :on_change => Proc.new {|bot, v| bot.auth.botowner.password = v},
\r
24 :desc => _('Password for the bot owner'))
\r
25 BotConfig.register BotConfigBooleanValue.new( 'auth.login_by_mask',
\r
27 :desc => _('Set false to prevent new botusers from logging in without a password when the user netmask is known'))
\r
28 BotConfig.register BotConfigBooleanValue.new( 'auth.autologin',
\r
30 :desc => _('Set false to prevent new botusers from recognizing IRC users without a need to manually login'))
\r
31 BotConfig.register BotConfigBooleanValue.new( 'auth.autouser',
\r
32 :default => 'false',
\r
33 :desc => _('Set true to allow new botusers to be created automatically'))
\r
34 # BotConfig.register BotConfigIntegerValue.new( 'auth.default_level',
\r
35 # :default => 10, :wizard => true,
\r
36 # :desc => 'The default level for new/unknown users' )
\r
38 # Generate a random password of length _l_
\r
40 def Auth.random_password(l=8)
\r
43 pwd << (rand(26) + (rand(2) == 0 ? 65 : 97) ).chr
\r
49 # An Irc::Auth::Command defines a command by its "path":
\r
51 # base::command::subcommand::subsubcommand::subsubsubcommand
\r
55 attr_reader :command, :path
\r
57 # A method that checks if a given _cmd_ is in a form that can be
\r
58 # reduced into a canonical command path, and if so, returns it
\r
60 def sanitize_command_path(cmd)
\r
61 pre = cmd.to_s.downcase.gsub(/^\*?(?:::)?/,"").gsub(/::$/,"")
\r
62 return pre if pre.empty?
\r
63 return pre if pre =~ /^\S+(::\S+)*$/
\r
64 raise TypeError, "#{cmd.inspect} is not a valid command"
\r
67 # Creates a new Command from a given string; you can then access
\r
68 # the command as a symbol with the :command method and the whole
\r
71 # Command.new("core::auth::save").path => [:"*", :"core", :"core::auth", :"core::auth::save"]
\r
73 # Command.new("core::auth::save").command => :"core::auth::save"
\r
76 cmdpath = sanitize_command_path(cmd).split('::')
\r
77 seq = cmdpath.inject(["*"]) { |list, cmd|
\r
78 list << (list.length > 1 ? list.last + "::" : "") + cmd
\r
80 @path = seq.map { |k|
\r
83 @command = path.last
\r
84 debug "Created command #{@command.inspect} with path #{@path.pretty_inspect}"
\r
88 def to_irc_auth_command
\r
101 # Returns an Irc::Auth::Comand from the receiver
\r
102 def to_irc_auth_command
\r
103 Irc::Auth::Command.new(self)
\r
111 # Returns an Irc::Auth::Comand from the receiver
\r
112 def to_irc_auth_command
\r
113 Irc::Auth::Command.new(self)
\r
125 # This class describes a permission set
\r
126 class PermissionSet
\r
129 # Create a new (empty) PermissionSet
\r
135 # Inspection simply inspects the internal hash
\r
140 # Sets the permission for command _cmd_ to _val_,
\r
142 def set_permission(str, val)
\r
143 cmd = str.to_irc_auth_command
\r
146 @perm[cmd.command] = val
\r
148 @perm.delete(cmd.command)
\r
150 raise TypeError, "#{val.inspect} must be true or false" unless [true,false].include?(val)
\r
154 # Resets the permission for command _cmd_
\r
156 def reset_permission(cmd)
\r
157 set_permission(cmd, nil)
\r
160 # Tells if command _cmd_ is permitted. We do this by returning
\r
161 # the value of the deepest Command#path that matches.
\r
164 cmd = str.to_irc_auth_command
\r
166 cmd.path.reverse.each { |k|
\r
167 if @perm.has_key?(k)
\r
178 # This is the error that gets raised when an invalid password is met
\r
180 class InvalidPassword < RuntimeError
\r
184 # This is the basic class for bot users: they have a username, a password,
\r
185 # a list of netmasks to match against, and a list of permissions.
\r
189 attr_reader :username
\r
190 attr_reader :password
\r
191 attr_reader :netmasks
\r
193 attr_writer :login_by_mask
\r
194 attr_writer :autologin
\r
195 attr_accessor :transient
\r
197 # Create a new BotUser with given username
\r
198 def initialize(username, options={})
\r
199 opts = {:transient => false}.merge(options)
\r
200 @transient = opts[:transient]
\r
201 @username = @transient ? "*" : ""
\r
202 @username << BotUser.sanitize_username(username)
\r
204 @netmasks = NetmaskList.new
\r
206 reset_login_by_mask
\r
212 str = "<#{self.class}:#{'0x%08x' % self.object_id}:"
\r
213 str << " @username=#{@username.inspect}"
\r
214 str << " @netmasks=#{@netmasks.inspect}"
\r
215 str << " @perm=#{@perm.inspect}"
\r
216 str << " @login_by_mask=#{@login_by_mask}"
\r
217 str << " @autologin=#{@autologin}"
\r
226 # Convert into a hash
\r
229 :username => @username,
\r
230 :password => @password,
\r
231 :netmasks => @netmasks,
\r
233 :login_by_mask => @login_by_mask,
\r
234 :autologin => @autologin
\r
238 # Do we allow logging in without providing the password?
\r
244 # Reset the login-by-mask option
\r
246 def reset_login_by_mask
\r
247 @login_by_mask = Auth.authmanager.bot.config['auth.login_by_mask'] unless defined?(@login_by_mask)
\r
250 # Reset the autologin option
\r
252 def reset_autologin
\r
253 @autologin = Auth.authmanager.bot.config['auth.autologin'] unless defined?(@autologin)
\r
256 # Do we allow automatic logging in?
\r
262 # Restore from hash
\r
264 @username = h[:username] if h.has_key?(:username)
\r
265 @password = h[:password] if h.has_key?(:password)
\r
266 @netmasks = h[:netmasks] if h.has_key?(:netmasks)
\r
267 @perm = h[:perm] if h.has_key?(:perm)
\r
268 @login_by_mask = h[:login_by_mask] if h.has_key?(:login_by_mask)
\r
269 @autologin = h[:autologin] if h.has_key?(:autologin)
\r
272 # This method sets the password if the proposed new password
\r
274 def password=(pwd=nil)
\r
280 raise InvalidPassword, "#{pass} contains invalid characters" if pass !~ /^[\x21-\x7e]+$/
\r
281 raise InvalidPassword, "#{pass} too short" if pass.length < 4
\r
283 rescue InvalidPassword => e
\r
286 raise InvalidPassword, "Exception #{e.inspect} while checking #{pass.inspect} (#{pwd.inspect})"
\r
291 # Resets the password by creating a new onw
\r
293 @password = Auth.random_password
\r
296 # Sets the permission for command _cmd_ to _val_ on channel _chan_
\r
298 def set_permission(cmd, val, chan="*")
\r
299 k = chan.to_s.to_sym
\r
300 @perm[k] = PermissionSet.new unless @perm.has_key?(k)
\r
301 @perm[k].set_permission(cmd, val)
\r
304 # Resets the permission for command _cmd_ on channel _chan_
\r
306 def reset_permission(cmd, chan ="*")
\r
307 set_permission(cmd, nil, chan)
\r
310 # Checks if BotUser is allowed to do something on channel _chan_,
\r
311 # or on all channels if _chan_ is nil
\r
313 def permit?(cmd, chan=nil)
\r
315 k = chan.to_s.to_sym
\r
320 if @perm.has_key?(k)
\r
321 allow = @perm[k].permit?(cmd)
\r
328 def add_netmask(mask)
\r
329 @netmasks << mask.to_irc_netmask
\r
332 # Removes a Netmask
\r
334 def delete_netmask(mask)
\r
335 m = mask.to_irc_netmask
\r
336 @netmasks.delete(m)
\r
339 # Removes all <code>Netmask</code>s
\r
342 @netmasks = NetmaskList.new
\r
345 # This method checks if BotUser has a Netmask that matches _user_
\r
348 user = usr.to_irc_user
\r
350 @netmasks.each { |n|
\r
351 if user.matches?(n)
\r
359 # This method gets called when User _user_ wants to log in.
\r
360 # It returns true or false depending on whether the password
\r
361 # is right. If it is, the Netmask of the user is added to the
\r
362 # list of acceptable Netmask unless it's already matched.
\r
363 def login(user, password=nil)
\r
364 if password == @password or (password.nil? and (@login_by_mask || @autologin) and knows?(user))
\r
365 add_netmask(user) unless knows?(user)
\r
366 debug "#{user} logged in as #{self.inspect}"
\r
373 # # This method gets called when User _user_ has logged out as this BotUser
\r
375 # delete_netmask(user) if knows?(user)
\r
378 # This method sanitizes a username by chomping, downcasing
\r
379 # and replacing any nonalphanumeric character with _
\r
381 def BotUser.sanitize_username(name)
\r
382 candidate = name.to_s.chomp.downcase.gsub(/[^a-z0-9]/,"_")
\r
383 raise "sanitized botusername #{candidate} too short" if candidate.length < 3
\r
389 # A TransientBotUser is a BotUser that is not intended
\r
390 # for permanent storage. A TransientBotUser must be
\r
391 # created with an associated Netmask or User. In the former
\r
392 # case the Netmask is added to BotUser's known masks, in the
\r
393 # latter the nick part is gobbled and so are the initial
\r
394 # nonletter parts of the user.
\r
396 class TransientBotUser < BotUser
\r
397 def initialize(mask_or_user)
\r
398 super(object_id, :transient => true)
\r
400 mask = Netmask.new(mask_or_user)
\r
401 if User === mask_or_user
\r
403 mask.host = mask_or_user.host.dup
\r
404 mask.user = "*" + mask_or_user.user.sub(/^[^\w]+/,'')
\r
412 # This is the default BotUser: it's used for all users which haven't
\r
413 # identified with the bot
\r
415 class DefaultBotUserClass < BotUser
\r
417 private :add_netmask, :delete_netmask
\r
421 # The default BotUser is named 'everyone'
\r
424 reset_login_by_mask
\r
427 @default_perm = PermissionSet.new
\r
430 # This method returns without changing anything
\r
432 def login_by_mask=(val)
\r
433 debug "Tried to change the login-by-mask for default bot user, ignoring"
\r
434 return @login_by_mask
\r
437 # The default botuser allows logins by mask
\r
439 def reset_login_by_mask
\r
440 @login_by_mask = true
\r
443 # This method returns without changing anything
\r
445 def autologin=(val)
\r
446 debug "Tried to change the autologin for default bot user, ignoring"
\r
450 # The default botuser doesn't allow autologin (meaningless)
\r
452 def reset_autologin
\r
456 # Sets the default permission for the default user (i.e. the ones
\r
457 # set by the BotModule writers) on all channels
\r
459 def set_default_permission(cmd, val)
\r
460 @default_perm.set_permission(Command.new(cmd), val)
\r
461 debug "Default permissions now: #{@default_perm.pretty_inspect}"
\r
464 # default knows everybody
\r
467 return true if user.to_irc_user
\r
470 # We always allow logging in as the default user
\r
471 def login(user, password)
\r
475 # Resets the NetmaskList
\r
478 add_netmask("*!*@*")
\r
481 # DefaultBotUser will check the default_perm after checking
\r
483 # or on all channels if _chan_ is nil
\r
485 def permit?(cmd, chan=nil)
\r
486 allow = super(cmd, chan)
\r
487 if allow.nil? && chan.nil?
\r
488 allow = @default_perm.permit?(cmd)
\r
495 # Returns the only instance of DefaultBotUserClass
\r
497 def Auth.defaultbotuser
\r
498 return DefaultBotUserClass.instance
\r
501 # This is the BotOwner: he can do everything
\r
503 class BotOwnerClass < BotUser
\r
508 @login_by_mask = false
\r
513 def permit?(cmd, chan=nil)
\r
519 # Returns the only instance of BotOwnerClass
\r
522 return BotOwnerClass.instance
\r
526 # This is the AuthManagerClass singleton, used to manage User/BotUser connections and
\r
529 class AuthManagerClass
\r
533 attr_reader :everyone
\r
534 attr_reader :botowner
\r
537 # The instance manages two <code>Hash</code>es: one that maps
\r
538 # <code>Irc::User</code>s onto <code>BotUser</code>s, and the other that maps
\r
539 # usernames onto <code>BotUser</code>
\r
541 @everyone = Auth::defaultbotuser
\r
542 @botowner = Auth::botowner
\r
546 def bot_associate(bot)
\r
547 raise "Cannot associate with a new bot! Save first" if defined?(@has_changes) && @has_changes
\r
554 # This variable is set to true when there have been changes
\r
555 # to the botusers list, so that we know when to save
\r
556 @has_changes = false
\r
560 @has_changes = true
\r
564 @has_changes = false
\r
571 # resets the hashes
\r
573 @botusers = Hash.new
\r
574 @allbotusers = Hash.new
\r
575 [everyone, botowner].each { |x|
\r
576 @allbotusers[x.username.to_sym] = x
\r
578 @transients = Set.new
\r
581 def load_array(ary, forced)
\r
583 warning "Tried to load an empty array"
\r
586 raise "Won't load with unsaved changes" if @has_changes and not forced
\r
589 raise TypeError, "#{x} should be a Hash" unless x.kind_of?(Hash)
\r
594 get_botuser(u).from_hash(x)
\r
595 get_botuser(u).transient = false
\r
601 @allbotusers.values.map { |x|
\r
602 x.transient ? nil : x.to_hash
\r
606 # checks if we know about a certain BotUser username
\r
607 def include?(botusername)
\r
608 @allbotusers.has_key?(botusername.to_sym)
\r
611 # Maps <code>Irc::User</code> to BotUser
\r
612 def irc_to_botuser(ircuser)
\r
613 logged = @botusers[ircuser.to_irc_user]
\r
614 return logged if logged
\r
615 return autologin(ircuser)
\r
618 # creates a new BotUser
\r
619 def create_botuser(name, password=nil)
\r
620 n = BotUser.sanitize_username(name)
\r
622 raise "botuser #{n} exists" if include?(k)
\r
623 bu = BotUser.new(n)
\r
624 bu.password = password
\r
625 @allbotusers[k] = bu
\r
629 # returns the botuser with name _name_
\r
630 def get_botuser(name)
\r
631 @allbotusers.fetch(BotUser.sanitize_username(name).to_sym)
\r
634 # Logs Irc::User _user_ in to BotUser _botusername_ with password _pwd_
\r
636 # raises an error if _botusername_ is not a known BotUser username
\r
638 # It is possible to autologin by Netmask, on request
\r
640 def login(user, botusername, pwd=nil)
\r
641 ircuser = user.to_irc_user
\r
642 n = BotUser.sanitize_username(botusername)
\r
644 raise "No such BotUser #{n}" unless include?(k)
\r
645 if @botusers.has_key?(ircuser)
\r
646 return true if @botusers[ircuser].username == n
\r
648 # @botusers[ircuser].logout(ircuser)
\r
650 bu = @allbotusers[k]
\r
651 if bu.login(ircuser, pwd)
\r
652 @botusers[ircuser] = bu
\r
658 # Tries to auto-login Irc::User _user_ by looking at the known botusers that allow autologin
\r
659 # and trying to login without a password
\r
661 def autologin(user)
\r
662 ircuser = user.to_irc_user
\r
663 debug "Trying to autologin #{ircuser}"
\r
664 return @botusers[ircuser] if @botusers.has_key?(ircuser)
\r
665 @allbotusers.each { |n, bu|
\r
666 debug "Checking with #{n}"
\r
667 return bu if bu.autologin? and login(ircuser, n)
\r
669 # Check with transient users
\r
670 @transients.each { |bu|
\r
671 return bu if bu.login(ircuser)
\r
673 # Finally, create a transient if we're set to allow it
\r
674 if @bot.config['auth.autouser']
\r
675 bu = create_transient_botuser(ircuser)
\r
681 # Creates a new transient BotUser associated with Irc::User _user_,
\r
682 # automatically logging him in
\r
684 def create_transient_botuser(user)
\r
685 ircuser = user.to_irc_user
\r
686 bu = TransientBotUser.new(ircuser)
\r
692 # Checks if User _user_ can do _cmd_ on _chan_.
\r
694 # Permission are checked in this order, until a true or false
\r
696 # * associated BotUser on _chan_
\r
697 # * associated BotUser on all channels
\r
698 # * everyone on _chan_
\r
699 # * everyone on all channels
\r
701 def permit?(user, cmdtxt, channel=nil)
\r
702 if user.class <= BotUser
\r
705 botuser = irc_to_botuser(user)
\r
707 cmd = cmdtxt.to_irc_auth_command
\r
719 allow = botuser.permit?(cmd, chan) if chan
\r
720 return allow unless allow.nil?
\r
721 allow = botuser.permit?(cmd)
\r
722 return allow unless allow.nil?
\r
724 unless botuser == everyone
\r
725 allow = everyone.permit?(cmd, chan) if chan
\r
726 return allow unless allow.nil?
\r
727 allow = everyone.permit?(cmd)
\r
728 return allow unless allow.nil?
\r
731 raise "Could not check permission for user #{user.inspect} to run #{cmdtxt.inspect} on #{chan.inspect}"
\r
734 # Checks if command _cmd_ is allowed to User _user_ on _chan_, optionally
\r
735 # telling if the user is authorized
\r
737 def allow?(cmdtxt, user, chan=nil)
\r
738 if permit?(user, cmdtxt, chan)
\r
741 # cmds = cmdtxt.split('::')
\r
742 # @bot.say chan, "you don't have #{cmds.last} (#{cmds.first}) permissions here" if chan
\r
743 @bot.say chan, _("%{user}, you don't have '%{command}' permissions here") %
\r
744 {:user=>user, :command=>cmdtxt} if chan
\r
751 # Returns the only instance of AuthManagerClass
\r
753 def Auth.authmanager
\r
754 return AuthManagerClass.instance
\r