X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=lib%2Frbot%2Fbotuser.rb;h=97bab93cc34545c3ed4c875209107eec3dd2624c;hb=8218e3f05e8ccd95497dd3c7aa115cfde8b01a40;hp=db33cd273ed197b1253f1d3f21079d6fcc21bec8;hpb=abce7a8fc036e849ee20f386b003b0d93b97fead;p=user%2Fhenk%2Fcode%2Fruby%2Frbot.git diff --git a/lib/rbot/botuser.rb b/lib/rbot/botuser.rb index db33cd27..97bab93c 100644 --- a/lib/rbot/botuser.rb +++ b/lib/rbot/botuser.rb @@ -1,586 +1,941 @@ -#-- vim:sw=2:et -#++ -# :title: User management -# -# rbot user management -# Author:: Giuseppe Bilotta (giuseppe.bilotta@gmail.com) -# Copyright:: Copyright (c) 2006 Giuseppe Bilotta -# License:: GPLv2 - -#-- -##### -#### -### Discussion on IRC on how to implement it -## -# -# a. do we want user groups together with users? -# hmm -# let me think about it -# generally I would say: as simple as possible while keeping it as flexible as need be -# I think we can put user groups in place afterwards if we build the structure right -# prolly, yes -# so -# each plugin registers a name -# so rather than auth level we have +name -name -# yes -# much better -# the default is +name for every plugin, except when the plugin tells otherwise -# although.. -# if I only want to allow you access to one plugin -# I have lots of typing to do -# nope -# we allow things like -* -# ok -# and + has precedence -# hm no, not good either -# because we want bot -* +onething and +* -onething to work -# but then: one plugin currently can have several levels, no? -# of course -# commandedit, commanddel, commandfoo -# name.command ? -# yep -# (then you can't have dots in commands -# maybe name:command -# or name::comand -# like a namespace -# ehehehe yeah I like it :) -# tel -# brb -# usermod setcaps eean -* -# usermod setcaps eean +quiz::edit -# great -# or even -# auth eean -*, +quiz::edit -# awesome -# auth eean -*, +quiz::edit, +command, -command::del -# yes -# you know, the default should be -* -# because -# in the time between adding the user and changing auth -# it's insecure -# user could do havoc -# useradd eean, then eean does "~quit", before I change auth -# nope -# perhaps we should allow combining useradd with auth -# the default should be +* -important stuff -# ok -# how to specify channel stuff? -# for one, when you issue the command on the channel itself -# then it's channel relative -# perhaps -# or -# yes but I was thinking more about the syntax -# auth eean #rbot -quiz -# hm -# or maybe: treat channels like users: auth #rbot -quiz -# would shut up quiz in #rbot -# hm -# heh -# auth * #rbot -quiz -# not sure I'm making sense here ;) -# I think syntax should be auth [usermask] [channelmask] [modes] -# yes -# modes separated by comma? -# where channelmask is implied to be * -# no we can have it spacesplit -# great -# ok -# modes are detected by +- -# so you can do something like auth markey #rbot -quiz #amarok -chuck -# also I like "auth" a lot more than "usermod foo" -# yep -# I don't understand why the 'mod' -# we could have all auth commands start with use -# user -# user add -# user list -# user del -# yes -# user auth -# hm -# and maybe auth as a synonym for user auth -# this is also uncomfortable: usermod wants the full user mask -# you have to copy/paste it -# no -# can't you use *? -# sorry not sure -# but this shows, it's not inuitive -# I've read the docs -# but didn't know how to use it really -# markey!*@* -# that's not very intuitive -# we could use nick as a synonym for nick!*@* if it's too much for you :D -# usermod markey foo should suffice -# rememember: you're a hacker. when rbot gets many new users, they will often be noobs -# gotta make things simple to use -# but the hostmask is only needed for the user creation -# really? then forget what I said, sorry -# I think so -# ,help auth -# Auth module (User authentication) topics: setlevel, useradd, userdel, usermod, auth, levels, users, whoami, identify -# ,help usermod -# no help for topic usermod -# ,help auth usermod -# usermod => Modify s settings. Valid s are: hostmask, (+|-)hostmask, password, level (private addressing only) -# see? it's username, not nick :D -# btw, help usermod should also work -# ,help auth useradd -# useradd => Add user , you still need to set him up correctly (private addressing only) -# instead of help auth usermode -# when it's not ambiguous -# and the help for useradd is wrong -# for the website, we could make a logo contest :) the current logo looks like giblet made it in 5 minutes ;) -# ah well, for 1.0 maybe -# so a user on rbot is given by -# username, password, hostmasks, permissions -# yup -# the default permission is +* -importantstuff -# how defines importantstuff? -# you mean like core and auth? -# yes -# ok -# but we can decide about this :) -# some plugins are dangerous by default -# like command plugin -# you can do all sorts of nasty shit with it -# then command plugin will do something like: command.defaultperm("-command") -# yes, good point -# this is then added to the default permissions (user * channel *) -# when checking for auth, we go like this: -# hm -# check user * channel * -# then user name channel * -# then user * channel name -# then user name channel name -# for each of these combinations we match against * first, then against command, and then against command::subcommand -# yup -# setting or resetting it depending on wether it's + or - -# the final result gives us the permission -# implementation detail -# username and passwords are strings -# (I might rename the command plugin, the name is somewhat confusing) -# yeah -# hostmasks are hostmasks -# also I'm pondering to restrict it more: disallow access to @bot -# permissions are in the form [ [channel, {command => bool, ...}] ...] -#++ - -module Irc - - # This method raises a TypeError if _user_ is not of class User - # - def error_if_not_user(user) - raise TypeError, "#{user.inspect} must be of type Irc::User and not #{user.class}" unless user.class <= User - end - - # This method raises a TypeError if _chan_ is not of class Chan - # - def error_if_not_channel(chan) - raise TypeError, "#{chan.inspect} must be of type Irc::User and not #{chan.class}" unless chan.class <= Channel - end - - - # This module contains the actual Authentication stuff - # - module Auth - - # Generate a random password of length _l_ - # - def random_password(l=8) - pwd = "" - 8.times do - pwd += (rand(26) + (rand(2) == 0 ? 65 : 97) ).chr - end - return pwd - end - - - # An Irc::Auth::Command defines a command by its "path": - # - # base::command::subcommand::subsubcommand::subsubsubcommand - # - class Command - - attr_reader :command, :path - - # A method that checks if a given _cmd_ is in a form that can be - # reduced into a canonical command path, and if so, returns it - # - def sanitize_command_path(cmd) - pre = cmd.to_s.downcase.gsub(/^\*?(?:::)?/,"").gsub(/::$/,"") - return pre if pre.empty? - return pre if pre =~ /^\S+(::\S+)*$/ - raise TypeError, "#{cmd.inspect} is not a valid command" - end - - # Creates a new Command from a given string; you can then access - # the command as a symbol with the :command method and the whole - # path as :path - # - # Command.new("core::auth::save").path => [:"", :core, :"core::auth", :"core::auth::save"] - # - # Command.new("core::auth::save").command => :"core::auth::save" - # - def initialize(cmd) - cmdpath = sanitize_command_path(cmd).split('::') - seq = cmdpath.inject([""]) { |list, cmd| - list << (list.last ? list.last + "::" : "") + cmd - } - @path = seq.map { |k| - k.to_sym - } - @command = path.last - end - end - - # This method raises a TypeError if _user_ is not of class User - # - def error_if_not_command(cmd) - raise TypeError, "#{cmd.inspect} must be of type Irc::Auth::Command and not #{cmd.class}" unless cmd.class <= Command - end - - - # This class describes a permission set - class PermissionSet - - # Create a new (empty) PermissionSet - # - def initialize - @perm = {} - end - - # Sets the permission for command _cmd_ to _val_, - # creating intermediate permissions if needed. - # - def set_permission(cmd, val) - raise TypeError, "#{val.inspect} must be true or false" unless [true,false].include?(val) - error_if_not_command(cmd) - cmd.path.each { |k| - set_permission(k.to_s, true) unless @perm.has_key?(k) - } - @perm[path.last] = val - end - - # Tells if command _cmd_ is permitted. We do this by returning - # the value of the deepest Command#path that matches. - # - def permit?(cmd) - error_if_not_command(cmd) - allow = nil - cmd.path.reverse.each { |k| - if @perm.has_key?(k) - allow = @perm[k] - break - end - } - return allow - end - end - - - # This is the basic class for bot users: they have a username, a password, a - # list of netmasks to match against, and a list of permissions. - # - class BotUser - - attr_reader :username - attr_reader :password - attr_reader :netmasks - - # Create a new BotUser with given username - def initialize(username) - @username = BotUser.sanitize_username(username) - @password = nil - @netmasks = NetmaskList.new - @perm = {} - end - - # Resets the password by creating a new onw - def reset_password - @password = random_password - end - - # Sets the permission for command _cmd_ to _val_ on channel _chan_ - # - def set_permission(cmd, val, chan="*") - k = chan.to_s.to_sym - @perm[k] = PermissionSet.new unless @perm.has_key?(k) - @perm[k].set_permission(cmd, val) - end - - # Checks if BotUser is allowed to do something on channel _chan_, - # or on all channels if _chan_ is nil - # - def permit?(cmd, chan=nil) - if chan - k = chan.to_s.to_sym - else - k = :* - end - allow = nil - if @perm.has_key?(k) - allow = @perm[k].permit?(cmd) - end - return allow - end - - # Adds a Netmask - # - def add_netmask(mask) - case mask - when Netmask - @netmasks << mask - else - @netmasks << Netmask(mask) - end - end - - # Removes a Netmask - # - def delete_netmask(mask) - case mask - when Netmask - m = mask - else - m << Netmask(mask) - end - @netmasks.delete(m) - end - - # Removes all Netmasks - def reset_netmask_list - @netmasks = NetmaskList.new - end - - # This method checks if BotUser has a Netmask that matches _user_ - def knows?(user) - error_if_not_user(user) - known = false - @netmasks.each { |n| - if user.matches?(n) - known = true - break - end - } - return known - end - - # This method gets called when User _user_ wants to log in. - # It returns true or false depending on whether the password - # is right. If it is, the Netmask of the user is added to the - # list of acceptable Netmask unless it's already matched. - def login(user, password) - if password == @password - add_netmask(user) unless knows?(user) - return true - else - return false - end - end - - # # This method gets called when User _user_ has logged out as this BotUser - # def logout(user) - # delete_netmask(user) if knows?(user) - # end - - # This method sanitizes a username by chomping, downcasing - # and replacing any nonalphanumeric character with _ - # - def BotUser.sanitize_username(name) - return name.to_s.chomp.downcase.gsub(/[^a-z0-9]/,"_") - end - - # This method sets the password if the proposed new password - # is valid - def password=(pwd=nil) - if pwd - begin - raise InvalidPassword, "#{pwd} contains invalid characters" if pwd !~ /^[A-Za-z0-9]+$/ - raise InvalidPassword, "#{pwd} too short" if pwd.length < 4 - @password = pwd - rescue InvalidPassword => e - raise e - rescue => e - raise InvalidPassword, "Exception #{e.inspect} while checking #{pwd}" - end - else - reset_password - end - end - end - - - # This is the anonymous BotUser: it's used for all users which haven't - # identified with the bot - # - class AnonBotUserClass < BotUser - include Singleton - def initialize - super("anonymous") - end - private :login, :add_netmask, :delete_netmask - - # Anon knows everybody - def knows?(user) - error_if_not_user(user) - return true - end - - # Resets the NetmaskList - def reset_netmask_list - super - add_netmask("*!*@*") - end - end - - # Returns the only instance of AnonBotUserClass - # - def anonbotuser - return AnonBotUserClass.instance - end - - # This is the BotOwner: he can do everything - # - class BotOwnerClass < BotUser - include Singleton - def initialize - super("owner") - end - - def permit?(cmd, chan=nil) - return true - end - end - - # Returns the only instance of BotOwnerClass - # - def botowner - return BotOwneClass.instance - end - - - # This is the AuthManagerClass singleton, used to manage User/BotUser connections and - # everything - # - class AuthManagerClass - include Singleton - - # The instance manages two Hashes: one that maps - # Irc::Users onto BotUsers, and the other that maps - # usernames onto BotUser - def initialize - reset_hashes - - # This variable is set to true when there have been changes - # to the botusers list, so that we know when to save - @has_changes = false - end - - # resets the hashes - def reset_hashes - @botusers = Hash.new - @allbotusers = Hash.new - [anonbotuser, botowner].each { |x| @allbotusers[x.username.to_sym] = x } - end - - # load botlist from userfile - def load_merge(filename=nil) - # TODO - raise NotImplementedError - @has_changes = true - end - - def load(filename=nil) - reset_hashes - load_merge(filename) - end - - # save botlist to userfile - def save(filename=nil) - return unless @has_changes - # TODO - raise NotImplementedError - end - - # checks if we know about a certain BotUser username - def include?(botusername) - @allbotusers.has_key?(botusername.to_sym) - end - - # Maps Irc::User to BotUser - def irc_to_botuser(ircuser) - error_if_not_user(ircuser) - return @botusers[ircuser] || anonbotuser - end - - # creates a new BotUser - def create_botuser(name, password=nil) - n = BotUser.sanitize_username(name) - k = n.to_sym - raise "BotUser #{n} exists" if include?(k) - bu = BotUser.new(n) - bu.password = password - @allbotusers[k] = bu - end - - # Logs Irc::User _ircuser_ in to BotUser _botusername_ with password _pwd_ - # - # raises an error if _botusername_ is not a known BotUser username - # - # It is possible to autologin by Netmask, on request - # - def login(ircuser, botusername, pwd, bymask = false) - error_if_not_user(ircuser) - n = BotUser.sanitize_username(name) - k = n.to_sym - raise "No such BotUser #{n}" unless include?(k) - if @botusers.has_key?(ircuser) - # TODO - # @botusers[ircuser].logout(ircuser) - end - bu = @allbotusers[k] - if bymask && bu.knows?(user) - @botusers[ircuser] = bu - return true - elsif bu.login(ircuser, pwd) - @botusers[ircuser] = bu - return true - end - return false - end - - # Checks if User _user_ can do _cmd_ on _chan_. - # - # Permission are checked in this order, until a true or false - # is returned: - # * associated BotUser on _chan_ - # * associated BotUser on all channels - # * anonbotuser on _chan_ - # * anonbotuser on all channels - # - def permit?(user, cmdtxt, chan=nil) - error_if_not_user(user) - cmd = Command.new(cmdtxt) - allow = nil - botuser = @botusers[user] - allow = botuser.permit?(cmd, chan) if chan - return allow unless allow.nil? - allow = botuser.permit?(cmd) - return allow unless allow.nil? - unless botuser == anonbotuser - allow = anonbotuser.permit?(cmd, chan) if chan - return allow unless allow.nil? - allow = anonbotuser.permit?(cmd) - return allow unless allow.nil? - end - raise "Could not check permission for user #{user.inspect} to run #{cmdtxt.inspect} on #{chan.inspect}" - end - end - - # Returns the only instance of AuthManagerClass - # - def authmanager - return AuthManagerClass.instance - end - end -end +#-- vim:sw=2:et +#++ +# :title: User management +# +# rbot user management +# Author:: Giuseppe Bilotta (giuseppe.bilotta@gmail.com) + +require 'singleton' +require 'set' +require 'rbot/maskdb' + +# This would be a good idea if it was failproof, but the truth +# is that other methods can indirectly modify the hash. *sigh* +# +# class AuthNotifyingHash < Hash +# %w(clear default= delete delete_if replace invert +# merge! update rehash reject! replace shift []= store).each { |m| +# class_eval { +# define_method(m) { |*a| +# r = super(*a) +# Irc::Bot::Auth.manager.set_changed +# r +# } +# } +# } +# end +# + +module Irc +class Bot + + + # This module contains the actual Authentication stuff + # + module Auth + + Config.register Config::StringValue.new( 'auth.password', + :default => [*?a..?z,*?A..?Z,*?0..?9].sample(8).join, :store_default => true, + :wizard => true, + :on_change => Proc.new {|bot, v| bot.auth.botowner.password = v}, + :desc => _('Password for the bot owner')) + Config.register Config::BooleanValue.new( 'auth.login_by_mask', + :default => 'true', + :desc => _('Set false to prevent new botusers from logging in without a password when the user netmask is known')) + Config.register Config::BooleanValue.new( 'auth.autologin', + :default => 'true', + :desc => _('Set false to prevent new botusers from recognizing IRC users without a need to manually login')) + Config.register Config::BooleanValue.new( 'auth.autouser', + :default => 'false', + :desc => _('Set true to allow new botusers to be created automatically')) + # Config.register Config::IntegerValue.new( 'auth.default_level', + # :default => 10, :wizard => true, + # :desc => 'The default level for new/unknown users' ) + + # Generate a random password of length _l_ + # + def Auth.random_password(l=8) + pwd = "" + l.times do + pwd << (rand(26) + (rand(2) == 0 ? 65 : 97) ).chr + end + return pwd + end + + + # An Irc::Bot::Auth::Command defines a command by its "path": + # + # base::command::subcommand::subsubcommand::subsubsubcommand + # + class Command + + attr_reader :command, :path + + # A method that checks if a given _cmd_ is in a form that can be + # reduced into a canonical command path, and if so, returns it + # + def sanitize_command_path(cmd) + pre = cmd.to_s.downcase.gsub(/^\*?(?:::)?/,"").gsub(/::$/,"") + return pre if pre.empty? + return pre if pre =~ /^\S+(::\S+)*$/ + raise TypeError, "#{cmd.inspect} is not a valid command" + end + + # Creates a new Command from a given string; you can then access + # the command as a symbol with the :command method and the whole + # path as :path + # + # Command.new("core::auth::save").path => [:"*", :"core", :"core::auth", :"core::auth::save"] + # + # Command.new("core::auth::save").command => :"core::auth::save" + # + def initialize(cmd) + cmdpath = sanitize_command_path(cmd).split('::') + seq = cmdpath.inject(["*"]) { |list, cc| + list << (list.length > 1 ? list.last + "::" : "") + cc + } + @path = seq.map { |k| + k.to_sym + } + @command = path.last + debug "Created command #{@command.inspect} with path #{@path.pretty_inspect}" + end + + # Returs self + def to_irc_auth_command + self + end + + end + + end + +end +end + + +class String + + # Returns an Irc::Bot::Auth::Comand from the receiver + def to_irc_auth_command + Irc::Bot::Auth::Command.new(self) + end + +end + + +class Symbol + + # Returns an Irc::Bot::Auth::Comand from the receiver + def to_irc_auth_command + Irc::Bot::Auth::Command.new(self) + end + +end + + +module Irc +class Bot + + + module Auth + + + # This class describes a permission set + class PermissionSet + + attr_reader :perm + # Create a new (empty) PermissionSet + # + def initialize + @perm = {} + end + + # Inspection simply inspects the internal hash + def inspect + @perm.inspect + end + + # Sets the permission for command _cmd_ to _val_, + # + def set_permission(str, val) + cmd = str.to_irc_auth_command + case val + when true, false + @perm[cmd.command] = val + when nil + @perm.delete(cmd.command) + else + raise TypeError, "#{val.inspect} must be true or false" unless [true,false].include?(val) + end + end + + # Resets the permission for command _cmd_ + # + def reset_permission(cmd) + set_permission(cmd, nil) + end + + # Tells if command _cmd_ is permitted. We do this by returning + # the value of the deepest Command#path that matches. + # + def permit?(str) + cmd = str.to_irc_auth_command + # TODO user-configurable list of always-allowed commands, + # for admins that want to set permissions -* for everybody + return true if cmd.command == :login + allow = nil + cmd.path.reverse.each { |k| + if @perm.has_key?(k) + allow = @perm[k] + break + end + } + return allow + end + + end + + + # This is the error that gets raised when an invalid password is met + # + class InvalidPassword < RuntimeError + end + + + # This is the basic class for bot users: they have a username, a + # password, a list of netmasks to match against, and a list of + # permissions. A BotUser can be marked as 'transient', usually meaning + # it's not intended for permanent storage. Transient BotUsers have lower + # priority than nontransient ones for autologin purposes. + # + # To initialize a BotUser, you pass a _username_ and an optional + # hash of options. Currently, only two options are recognized: + # + # transient:: true or false, determines if the BotUser is transient or + # permanent (default is false, permanent BotUser). + # + # Transient BotUsers are initialized by prepending an + # asterisk (*) to the username, and appending a sanitized + # version of the object_id. The username can be empty. + # A random password is generated. + # + # Permanent Botusers need the username as is, and no + # password is generated. + # + # masks:: an array of Netmasks to initialize the NetmaskList. This + # list is used as-is for permanent BotUsers. + # + # Transient BotUsers will alter the list elements which are + # Irc::User by globbing the nick and any initial nonletter + # part of the ident. + # + # The masks option is optional for permanent BotUsers, but + # obligatory (non-empty) for transients. + # + class BotUser + + attr_reader :username + attr_reader :password + attr_reader :netmasks + attr_reader :perm + attr_reader :perm_temp + attr_writer :login_by_mask + attr_writer :transient + + def autologin=(vnew) + vold = @autologin + @autologin = vnew + if vold && !vnew + @netmasks.each { |n| Auth.manager.maskdb.remove(self, n) } + elsif vnew && !vold + @netmasks.each { |n| Auth.manager.maskdb.add(self, n) } + end + end + + # Checks if the BotUser is transient + def transient? + @transient + end + + # Checks if the BotUser is permanent (not transient) + def permanent? + !@transient + end + + # Sets if the BotUser is permanent or not + def permanent=(bool) + @transient=!bool + end + + # Make the BotUser permanent + def make_permanent(name) + raise TypeError, "permanent already" if permanent? + @username = BotUser.sanitize_username(name) + @transient = false + reset_autologin + reset_password # or not? + @netmasks.dup.each do |m| + delete_netmask(m) + add_netmask(m.generalize) + end + end + + # Create a new BotUser with given username + def initialize(username, options={}) + opts = {:transient => false}.merge(options) + @transient = opts[:transient] + + if @transient + @username = "*" + @username << BotUser.sanitize_username(username) if username and not username.to_s.empty? + @username << BotUser.sanitize_username(object_id) + reset_password + @login_by_mask=true + @autologin=true + else + @username = BotUser.sanitize_username(username) + @password = nil + reset_login_by_mask + reset_autologin + end + + @netmasks = NetmaskList.new + if opts.key?(:masks) and opts[:masks] + masks = opts[:masks] + masks = [masks] unless masks.respond_to?(:each) + masks.each { |m| + mask = m.to_irc_netmask + if @transient and User === m + mask.nick = "*" + mask.host = m.host.dup + mask.user = "*" + m.user.sub(/^\w?[^\w]+/,'') + end + add_netmask(mask) unless mask.to_s == "*" + } + end + raise "must provide a usable mask for transient BotUser #{@username}" if @transient and @netmasks.empty? + + @perm = {} + @perm_temp = {} + end + + # Inspection + def inspect + str = self.__to_s__[0..-2] + str << " (transient)" if @transient + str << ":" + str << " @username=#{@username.inspect}" + str << " @netmasks=#{@netmasks.inspect}" + str << " @perm=#{@perm.inspect}" + str << " @perm_temp=#{@perm_temp.inspect}" unless @perm_temp.empty? + str << " @login_by_mask=#{@login_by_mask}" + str << " @autologin=#{@autologin}" + str << ">" + end + + # In strings + def to_s + @username + end + + # Convert into a hash + def to_hash + { + :username => @username, + :password => @password, + :netmasks => @netmasks, + :perm => @perm, + :login_by_mask => @login_by_mask, + :autologin => @autologin, + } + end + + # Do we allow logging in without providing the password? + # + def login_by_mask? + @login_by_mask + end + + # Reset the login-by-mask option + # + def reset_login_by_mask + @login_by_mask = Auth.manager.bot.config['auth.login_by_mask'] unless defined?(@login_by_mask) + end + + # Reset the autologin option + # + def reset_autologin + @autologin = Auth.manager.bot.config['auth.autologin'] unless defined?(@autologin) + end + + # Do we allow automatic logging in? + # + def autologin? + @autologin + end + + # Restore from hash + def from_hash(h) + @username = h[:username] if h.has_key?(:username) + @password = h[:password] if h.has_key?(:password) + @login_by_mask = h[:login_by_mask] if h.has_key?(:login_by_mask) + @autologin = h[:autologin] if h.has_key?(:autologin) + if h.has_key?(:netmasks) + @netmasks = h[:netmasks] + debug @netmasks + @netmasks.each { |n| Auth.manager.maskdb.add(self, n) } if @autologin + debug @netmasks + end + @perm = h[:perm] if h.has_key?(:perm) + end + + # This method sets the password if the proposed new password + # is valid + def password=(pwd=nil) + pass = pwd.to_s + if pass.empty? + reset_password + else + begin + raise InvalidPassword, "#{pass} contains invalid characters" if pass !~ /^[\x21-\x7e]+$/ + raise InvalidPassword, "#{pass} too short" if pass.length < 4 + @password = pass + rescue InvalidPassword => e + raise e + rescue => e + raise InvalidPassword, "Exception #{e.inspect} while checking #{pass.inspect} (#{pwd.inspect})" + end + end + end + + # Resets the password by creating a new onw + def reset_password + @password = Auth.random_password + end + + # Sets the permission for command _cmd_ to _val_ on channel _chan_ + # + def set_permission(cmd, val, chan="*") + k = chan.to_s.to_sym + @perm[k] = PermissionSet.new unless @perm.has_key?(k) + @perm[k].set_permission(cmd, val) + end + + # Resets the permission for command _cmd_ on channel _chan_ + # + def reset_permission(cmd, chan ="*") + set_permission(cmd, nil, chan) + end + + # Sets the temporary permission for command _cmd_ to _val_ on channel _chan_ + # + def set_temp_permission(cmd, val, chan="*") + k = chan.to_s.to_sym + @perm_temp[k] = PermissionSet.new unless @perm_temp.has_key?(k) + @perm_temp[k].set_permission(cmd, val) + end + + # Resets the temporary permission for command _cmd_ on channel _chan_ + # + def reset_temp_permission(cmd, chan ="*") + set_temp_permission(cmd, nil, chan) + end + + # Checks if BotUser is allowed to do something on channel _chan_, + # or on all channels if _chan_ is nil + # + def permit?(cmd, chan=nil) + if chan + k = chan.to_s.to_sym + else + k = :* + end + allow = nil + pt = @perm.merge @perm_temp + if pt.has_key?(k) + allow = pt[k].permit?(cmd) + end + return allow + end + + # Adds a Netmask + # + def add_netmask(mask) + m = mask.to_irc_netmask + @netmasks << m + if self.autologin? + Auth.manager.maskdb.add(self, m) + Auth.manager.logout_transients(m) if self.permanent? + end + end + + # Removes a Netmask + # + def delete_netmask(mask) + m = mask.to_irc_netmask + @netmasks.delete(m) + Auth.manager.maskdb.remove(self, m) if self.autologin? + end + + # Reset Netmasks, clearing @netmasks + # + def reset_netmasks + @netmasks.each { |m| + Auth.manager.maskdb.remove(self, m) if self.autologin? + } + @netmasks.clear + end + + # This method checks if BotUser has a Netmask that matches _user_ + # + def knows?(usr) + user = usr.to_irc_user + !!@netmasks.find { |n| user.matches? n } + end + + # This method gets called when User _user_ wants to log in. + # It returns true or false depending on whether the password + # is right. If it is, the Netmask of the user is added to the + # list of acceptable Netmask unless it's already matched. + def login(user, password=nil) + if password == @password or (password.nil? and (@login_by_mask || @autologin) and knows?(user)) + add_netmask(user) unless knows?(user) + debug "#{user} logged in as #{self.inspect}" + return true + else + return false + end + end + + # # This method gets called when User _user_ has logged out as this BotUser + # def logout(user) + # delete_netmask(user) if knows?(user) + # end + + # This method sanitizes a username by chomping, downcasing + # and replacing any nonalphanumeric character with _ + # + def BotUser.sanitize_username(name) + candidate = name.to_s.chomp.downcase.gsub(/[^a-z0-9]/,"_") + raise "sanitized botusername #{candidate} too short" if candidate.length < 3 + return candidate + end + + end + + # This is the default BotUser: it's used for all users which haven't + # identified with the bot + # + class DefaultBotUserClass < BotUser + + private :add_netmask, :delete_netmask + + include Singleton + + # The default BotUser is named 'everyone' + # + def initialize + reset_login_by_mask + reset_autologin + super("everyone") + @default_perm = PermissionSet.new + end + + # This method returns without changing anything + # + def login_by_mask=(val) + debug "Tried to change the login-by-mask for default bot user, ignoring" + return @login_by_mask + end + + # The default botuser allows logins by mask + # + def reset_login_by_mask + @login_by_mask = true + end + + # This method returns without changing anything + # + def autologin=(val) + debug "Tried to change the autologin for default bot user, ignoring" + return + end + + # The default botuser doesn't allow autologin (meaningless) + # + def reset_autologin + @autologin = false + end + + # Sets the default permission for the default user (i.e. the ones + # set by the BotModule writers) on all channels + # + def set_default_permission(cmd, val) + @default_perm.set_permission(Command.new(cmd), val) + debug "Default permissions now: #{@default_perm.pretty_inspect}" + end + + # default knows everybody + # + def knows?(user) + return true if user.to_irc_user + end + + # We always allow logging in as the default user + def login(user, password) + return true + end + + # DefaultBotUser will check the default_perm after checking + # the global ones + # or on all channels if _chan_ is nil + # + def permit?(cmd, chan=nil) + allow = super(cmd, chan) + if allow.nil? && chan.nil? + allow = @default_perm.permit?(cmd) + end + return allow + end + + end + + # Returns the only instance of DefaultBotUserClass + # + def Auth.defaultbotuser + return DefaultBotUserClass.instance + end + + # This is the BotOwner: he can do everything + # + class BotOwnerClass < BotUser + + include Singleton + + def initialize + @login_by_mask = false + @autologin = true + super("owner") + end + + def permit?(cmd, chan=nil) + return true + end + + end + + # Returns the only instance of BotOwnerClass + # + def Auth.botowner + return BotOwnerClass.instance + end + + + class BotUser + # Check if the current BotUser is the default one + def default? + return DefaultBotUserClass === self + end + + # Check if the current BotUser is the owner + def owner? + return BotOwnerClass === self + end + end + + + # This is the ManagerClass singleton, used to manage + # Irc::User/Irc::Bot::Auth::BotUser connections and everything + # + class ManagerClass + + include Singleton + + attr_reader :maskdb + attr_reader :everyone + attr_reader :botowner + attr_reader :bot + + # The instance manages two Hashes: one that maps + # Irc::Users onto BotUsers, and the other that maps + # usernames onto BotUser + def initialize + @everyone = Auth::defaultbotuser + @botowner = Auth::botowner + bot_associate(nil) + end + + def bot_associate(bot) + raise "Cannot associate with a new bot! Save first" if defined?(@has_changes) && @has_changes + + reset_hashes + + # Associated bot + @bot = bot + + # This variable is set to true when there have been changes + # to the botusers list, so that we know when to save + @has_changes = false + end + + def set_changed + @has_changes = true + end + + def reset_changed + @has_changes = false + end + + def changed? + @has_changes + end + + # resets the hashes + def reset_hashes + @botusers = Hash.new + @maskdb = NetmaskDb.new + @allbotusers = Hash.new + [everyone, botowner].each do |x| + @allbotusers[x.username.to_sym] = x + end + end + + def load_array(ary, forced) + unless ary + warning "Tried to load an empty array" + return + end + raise "Won't load with unsaved changes" if @has_changes and not forced + reset_hashes + ary.each { |x| + raise TypeError, "#{x} should be a Hash" unless x.kind_of?(Hash) + u = x[:username] + unless include?(u) + create_botuser(u) + end + get_botuser(u).from_hash(x) + get_botuser(u).transient = false + } + @has_changes=false + end + + def save_array + @allbotusers.values.map { |x| + x.transient? ? nil : x.to_hash + }.compact + end + + # checks if we know about a certain BotUser username + def include?(botusername) + @allbotusers.has_key?(botusername.to_sym) + end + + # Maps Irc::User to BotUser + def irc_to_botuser(ircuser) + logged = @botusers[ircuser.to_irc_user] + return logged if logged + return autologin(ircuser) + end + + # creates a new BotUser + def create_botuser(name, password=nil) + n = BotUser.sanitize_username(name) + k = n.to_sym + raise "botuser #{n} exists" if include?(k) + bu = BotUser.new(n) + bu.password = password + @allbotusers[k] = bu + return bu + end + + # returns the botuser with name _name_ + def get_botuser(name) + @allbotusers.fetch(BotUser.sanitize_username(name).to_sym) + end + + # Logs Irc::User _user_ in to BotUser _botusername_ with password _pwd_ + # + # raises an error if _botusername_ is not a known BotUser username + # + # It is possible to autologin by Netmask, on request + # + def login(user, botusername, pwd=nil) + ircuser = user.to_irc_user + n = BotUser.sanitize_username(botusername) + k = n.to_sym + raise "No such BotUser #{n}" unless include?(k) + if @botusers.has_key?(ircuser) + return true if @botusers[ircuser].username == n + # TODO + # @botusers[ircuser].logout(ircuser) + end + bu = @allbotusers[k] + if bu.login(ircuser, pwd) + @botusers[ircuser] = bu + return true + end + return false + end + + # Tries to auto-login Irc::User _user_ by looking at the known botusers that allow autologin + # and trying to login without a password + # + def autologin(user) + ircuser = user.to_irc_user + debug "Trying to autologin #{ircuser}" + return @botusers[ircuser] if @botusers.has_key?(ircuser) + bu = maskdb.find(ircuser) + if bu + debug "trying #{bu}" + bu.login(ircuser) or raise '...what?!' + @botusers[ircuser] = bu + return bu + end + # Finally, create a transient if we're set to allow it + if @bot.config['auth.autouser'] + bu = create_transient_botuser(ircuser) + @botusers[ircuser] = bu + return bu + end + return everyone + end + + # Creates a new transient BotUser associated with Irc::User _user_, + # automatically logging him in. Note that transient botuser creation can + # fail, typically if we don't have the complete user netmask (e.g. for + # messages coming in from a linkbot) + # + def create_transient_botuser(user) + ircuser = user.to_irc_user + bu = everyone + begin + bu = BotUser.new(ircuser, :transient => true, :masks => ircuser) + bu.login(ircuser) + rescue + warning "failed to create transient for #{user}" + error $! + end + return bu + end + + # Logs out any Irc::User matching Irc::Netmask _m_ and logged in + # to a transient BotUser + # + def logout_transients(m) + debug "to check: #{@botusers.keys.join ' '}" + @botusers.keys.each do |iu| + debug "checking #{iu.fullform} against #{m.fullform}" + bu = @botusers[iu] + bu.transient? or next + iu.matches?(m) or next + @botusers.delete(iu).autologin = false + end + end + + # Makes transient BotUser _user_ into a permanent BotUser + # named _name_; if _user_ is an Irc::User, act on the transient + # BotUser (if any) it's logged in as + # + def make_permanent(user, name) + buname = BotUser.sanitize_username(name) + # TODO merge BotUser instead? + raise "there's already a BotUser called #{name}" if include?(buname) + + tuser = nil + case user + when String, Irc::User + tuser = irc_to_botuser(user) + when BotUser + tuser = user + else + raise TypeError, "sorry, don't know how to make #{user.class} into a permanent BotUser" + end + return nil unless tuser + raise TypeError, "#{tuser} is not transient" unless tuser.transient? + + tuser.make_permanent(buname) + @allbotusers[tuser.username.to_sym] = tuser + + return tuser + end + + # Checks if User _user_ can do _cmd_ on _chan_. + # + # Permission are checked in this order, until a true or false + # is returned: + # * associated BotUser on _chan_ + # * associated BotUser on all channels + # * everyone on _chan_ + # * everyone on all channels + # + def permit?(user, cmdtxt, channel=nil) + if user.class <= BotUser + botuser = user + else + botuser = user.botuser + end + cmd = cmdtxt.to_irc_auth_command + + chan = channel + case chan + when User + chan = "?" + when Channel + chan = chan.name + end + + allow = nil + + allow = botuser.permit?(cmd, chan) if chan + return allow unless allow.nil? + allow = botuser.permit?(cmd) + return allow unless allow.nil? + + unless botuser == everyone + allow = everyone.permit?(cmd, chan) if chan + return allow unless allow.nil? + allow = everyone.permit?(cmd) + return allow unless allow.nil? + end + + raise "Could not check permission for user #{user.inspect} to run #{cmdtxt.inspect} on #{chan.inspect}" + end + + # Checks if command _cmd_ is allowed to User _user_ on _chan_, optionally + # telling if the user is authorized + # + def allow?(cmdtxt, user, chan=nil) + if permit?(user, cmdtxt, chan) + return true + else + # cmds = cmdtxt.split('::') + # @bot.say chan, "you don't have #{cmds.last} (#{cmds.first}) permissions here" if chan + @bot.say chan, _("%{user}, you don't have '%{command}' permissions here") % + {:user=>user, :command=>cmdtxt} if chan + return false + end + end + + end + + # Returns the only instance of ManagerClass + # + def Auth.manager + return ManagerClass.instance + end + + end +end + + class User + + # A convenience method to automatically found the botuser + # associated with the receiver + # + def botuser + Irc::Bot::Auth.manager.irc_to_botuser(self) + end + end + +end